b'       Evaluation Report\n\n\n\n\nEVALUATION REPORT\nINFORMATION TECHNOLOGY: The Department of the Treasury\nFederal Information Security Management Act Fiscal Year 2009\nEvaluation (OIG-CA-10-003)\n\nNovember 13, 2009\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                          DEPARTMENT OF THE TREASURY\n                                                 W ASHINGTON, D.C. 20220\n\n                                                    November 13, 2009\n     OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n            MEMORANDUM FOR DANIEL TANGHERLINI\n                           ASSISTANT SECRETARY OF THE TREASURY FOR\n                             MANAGEMENT, CHIEF FINANCIAL OFFICER, AND CHIEF\n                             PERFORMANCE OFFICER\n\n                                       MICHAEL DUFFY\n                                       DEPUTY ASSISTANT SECRETARY OF INFORMATION\n                                         SYSTEMS AND CHIEF INFORMATION OFFICER\n\n            FROM:                      Marla A. Freedman /s/\n                                       Assistant Inspector General for Audit\n\n            SUBJECT:                   The Department of the Treasury Federal Information Security\n                                       Management Act Fiscal Year 2009 Evaluation\n\n            I am pleased to transmit the following reports:\n\n                \xe2\x80\xa2   Federal Information Security Management Act Fiscal Year 2009 Evaluation\xe2\x80\x93\n                    November 13, 2009\n                \xe2\x80\xa2   Treasury Inspector General for Tax Administration (TIGTA)\xe2\x80\x93Federal Information\n                    Security Management Act Report for Fiscal Year 2009, Audit #200920010,\n                    October 27, 2009\n\n            The Federal Information Security Management Act (FISMA) of 2002 requires an annual\n            independent evaluation of the Department of the Treasury\xe2\x80\x99s information security\n            program and practices. To meet FISMA requirements, we contracted with KPMG LLP,\n            an independent public accounting firm, to perform the FISMA evaluation of Treasury\xe2\x80\x99s\n            Non-Internal Revenue Service (IRS) unclassified systems. Attachment 1 contains the\n            KPMG report and our Office of Management and Budget (OMB) submission, which\n            incorporates the responses of TIGTA as well. Attachment 2 contains TIGTA\xe2\x80\x99s\n            evaluation of FISMA compliance for Treasury\xe2\x80\x99s IRS systems. 1\n\n\n            1\n              We did not review the work performed by TIGTA to evaluate the information security program and\n            practices of IRS. Our overall conclusions, insofar as they relate to IRS, are based solely on TIGTA\xe2\x80\x99s\n            report (attachment 2). We did, however, coordinate with TIGTA on the scope and methodology,\n            including sample selection, of our respective engagements.\n\x0cPage 2\n\n\n\nBased on the results reported by KPMG and TIGTA, we determined that Treasury\xe2\x80\x99s\ninformation security program is in place and is generally consistent with FISMA.\nHowever, the KPMG evaluation of Treasury\xe2\x80\x99s non-IRS unclassified systems indicated\nthat additional steps are required to ensure that Treasury\xe2\x80\x99s information security risk\nmanagement program and practices fully comply with applicable National Institute of\nStandards and Technology (NIST) standards and guidelines and FISMA requirements.\nSpecifically, KPMG reported that:\n\n      1. NIST Federal Information Processing Standard 200 minimum security control\n         baselines were not sufficiently tested or implemented (repeat finding)\n      2. Breach notification policy required by OMB Memorandum 07-16 has not been\n         finalized and issued (repeat finding)\n      3. The Departmental Offices Federal Desktop Core Configuration image is not fully\n         implemented (repeat finding)\n      4. The Bureau of Public Debt (BPD) is not using a Security Content Automation\n         Protocol validated tool\n      5. Financial Management Service (FMS) Plan of Action and Milestone estimate to\n         completion dates and milestones were not consistently updated in accordance\n         with FMS policy\n      6. Frequency of vulnerability assessment scanning at BPD is not in line with bureau\n         and Treasury policy\n      7. E-authentication risk assessment was not performed at the Financial Crimes\n         Enforcement Network.\n\nTIGTA reported that IRS had made steady progress in complying with FISMA\nrequirements. TIGTA also found significant improvements in IRS information\ntechnology contingency plan testing and additional improvements in annual security\ncontrols testing, which were identified as areas needing improvement in its 2008\nFISMA evaluation. TIGTA noted that IRS still needs to take action in the areas of\ncertification and accreditation, and configuration management.\n\nIf you have any questions or require further information, you may contact me at (202)\n927-5400 or Joel A. Grover, Deputy Assistant Inspector General for Financial\nManagement and Information Technology Audits, at (202) 927-5768. For questions\npertaining to the TIGTA FISMA evaluation, please contact Michael R. Phillips, Deputy\nInspector General for Audit, at (202) 622-6510.\n\n\nAttachments\n\ncc:      Edward A. Roback, Associate Chief Information Officer, Cyber Security\n\x0c            ATTACHMENT 1\n\n       The Department of the Treasury\nFederal Information Security Management Act\n         Fiscal Year 2009 Evaluation,\n             November 13, 2009\n\x0c      The Department of the Treasury\nFederal Information Security Management Act\n         Fiscal Year 2009 Evaluation\n\n\n              November 13, 2009\n\x0c                      The Department of the Treasury\n  Federal Information Security Management Act Fiscal Year 2009 Evaluation\n\n                                                               Table of Contents\n\nFISMA Evaluation Report\nExecutive Summary ...................................................................................................................................... 1\nBackground ................................................................................................................................................... 4\nObjective, Scope, and Methodology ............................................................................................................. 8\nResults ......................................................................................................................................................... 12\nConclusions ................................................................................................................................................. 19\nManagement Response to Draft Report ...................................................................................................... 20\n\nAppendices\nAppendix I \xe2\x80\x93 Response to the FY 2009 OMB FISMA Reporting Questions ............................................ I-1\nAppendix II \xe2\x80\x93 Approach to the Selection of the Subset of Systems ......................................................... II-1\nAppendix III \xe2\x80\x93 Acronym Listing ............................................................................................................. III-1\n\x0cExecutive Summary\n\nThis report presents the results of the evaluation conducted to address the objectives relative to the Fiscal\nYear (FY) 2009 Federal Information Security Management Act of 2002 (FISMA) of the 12 non-Internal\nRevenue Service (IRS) bureaus and offices 1 of the United States Department of the Treasury (Treasury).\nThe IRS was not included within the scope of this FISMA evaluation. The Treasury Inspector General for\nTax Administration (TIGTA) performed the FISMA evaluation of the IRS. As part of this FISMA\nevaluation, we only incorporated the results of the TIGTA FISMA evaluation of the IRS into the Office of\nManagement and Budget (OMB) FY 2009 FISMA Reporting Template (see Appendix I).\n\nThis evaluation was conducted in accordance with the Council of Inspectors General on Integrity and\nEfficiency \xe2\x80\x93 Quality Standards for Inspections and the General Standards contained within the Generally\nAccepted Government Auditing Standards (GAGAS), issued by the Comptroller General of the United\nStates.\n\nThe objectives of this evaluation were to determine, as of June 30, 2009, whether non-IRS Treasury\nbureaus had implemented:\n\n\xe2\x80\xa2   An information security program, consisting of plans, policies, procedures, and security controls,\n    consistent with FISMA 2\n\xe2\x80\xa2   The security control catalog contained in the National Institute of Standards and Technology (NIST)\n    Special Publication (SP) 800-53 Revision 2 (Rev. 2), Recommended Security Controls for Federal\n    Information Systems. 3\n\nOur evaluation was performed during the period of March 23, 2009 through October 7, 2009.\n\nTo accomplish our objectives, we evaluated controls in accordance to applicable legislation, Presidential\ndirectives, OMB policy, and NIST standards and guidelines. We reviewed the Treasury information\nsecurity program from both a Department-level perspective for Treasury-wide program level controls and\nBureau-level implementation perspective, including an in-depth assessment of the implementation of\nselected security control catalog outlined in NIST SP 800-53 Rev. 2. We utilized the assessment guidance\nin NIST SP 800-53A as our security control assessment methodology. We considered each objective\nabove to reach conclusions with regard to the Treasury\xe2\x80\x99s information security program and practices.\n\nDuring the FY 2009 FISMA Evaluation, we noted that the 12 non-IRS Treasury bureaus and offices have\nmade progress in improving information security controls and practices. 4 Following our FY 2008 FISMA\n\n1\n  The Treasury is comprised of 14 bureaus and offices. The scope of this evaluation excluded the IRS.\nAdditionally, while the Special Inspector General for the Troubled Asset Relief Program (SIGTARP) is\none (1) of the 14 Treasury bureaus and offices and is considered a non-IRS office for purposes of this\nreport; information technology assets and responsibilities are managed by the Treasury Departmental\nOffices. Thus, the SIGTARP is considered a component of the Treasury Departmental Offices for\nFISMA reporting purposes. The 14 bureaus and offices of the Treasury are described on page 5 of this\nreport.\n2\n  This objective includes the completion of the OMB FY 2009 FISMA Reporting Template for IGs, which\nis presented in Appendix I of this report.\n3\n  The conclusion for this objective is based on (five) 5 of the 18 systems selected in the representative\nsubset of Treasury systems with a NIST Federal Information Processing Standard (FIPS) 199 system\nimpact level of Moderate.\n4\n  The FISMA evaluation of the IRS is performed by TIGTA.\n\n                                                                                                      Page 1\n\x0caudit 5 , Treasury has continued to strengthen its inventory reporting processes by more effectively using\nthe Trusted Agent FISMA (TAF) system 6 to serve as the consolidated FISMA inventory system of record\nfor the Treasury. In addition, Treasury has implemented a training tool to facilitate the uniform delivery\nof security awareness training and specialized security training. As of the close of fieldwork, 11 of the 12\nnon-IRS bureaus and offices were using this tool 7 . This tool also has mechanisms to allow bureau-level\nChief Information Officer (CIO) and Treasury Office of the Chief Information Officer (OCIO) Cyber\nSecurity Program personnel to track compliance with Information Technology (IT) training requirements.\nLastly, Treasury continues to implement NIST SP 800-70 compliant secure configurations baselines\nacross all non-Federal Desktop Core Configuration (FDCC) platforms.\n\nIn addition, we noted that eight (8) of the 11 findings reported during the FY 2008 FISMA Performance\nAudit have been resolved and one (1) finding was partially closed.\n\nHowever, we also noted areas needing improvement where Treasury should take additional steps to\nensure that its information security risk management program and practices fully comply with applicable\nNIST standards and guidelines and FISMA requirements. Specifically,\n\n1. NIST Federal Information Processing Standard (FIPS) 200 Minimum Security Control\n   Baselines Were Not Sufficiently Tested or Implemented (Repeat Finding). Treasury has\n   continued to make progress in addressing information security risk management requirements of\n   FISMA and NIST, including the certification and accreditation of information systems and the\n   implementation of minimum security controls outlined in NIST FIPS 200 Minimum Security\n   Requirements for Federal Information and Information Systems and NIST SP 800-53 Rev. 2. The\n   OCIO Cyber Security Program has built a program to oversee the certification and accreditation\n   efforts of all Treasury bureaus. In addition, the majority of bureaus evaluated have made progress in\n   implementing the NIST SP 800-53 Rev. 2 minimum security control baseline within systems under\n   their control. However, we noted that the minimum security controls required by NIST FIPS 200\n   were not tested or fully implemented for three (3) systems within our representative subset of non-\n   IRS Treasury information systems and one (1) system previously identified during the FY 2008\n   FISMA Audit. Specifically, during the FY 2008 audit we noted that the Bureau of Engraving and\n   Printing (BEP), the Office of Thrift Supervision (OTS), and the Alcohol and Tobacco Tax and Trade\n   Bureau (TTB) had not sufficiently tested or implemented the NIST SP 800-53 Rev. 2 security control\n   baseline for systems under their control. At the conclusion of the FY 2009 FISMA Evaluation, the\n   systems under the control of OTS within our scope did not have a sufficiently implemented or tested\n   security control baseline. We also noted that FMS has not sufficiently tested the NIST SP 800-53\n   Rev. 2 security control baseline for two (2) systems under their control.\n\n2. Breach Notification Policy Required by OMB Memorandum 07-16 has not been Finalized and\n   Issued (Repeat Finding). OMB Memorandum 07-16, Safeguarding Against and Responding to the\n   Breach of Personally Identifiable Information, issued on May 22, 2007, required that policy be\n   developed for the Personally Identifiable Information (PII) breach notifications. OMB Memorandum\n   07-16 required that this policy be issued within 120 days after the date of the memorandum,\n\n\n5\n  In FY 2008 the engagement was conducted as a performance audit and the FY 2009 engagement was\nperformed in accordance with the Council of Inspectors General on Integrity and Efficiency \xe2\x80\x93 Quality\nStandards for Inspections.\n6\n  TAF is an enterprise tool for aggregating data reported by Treasury bureaus to gauge how well the\nDepartment is complying with key information security practices and controls.\n7\n  Only the Office of the Comptroller of Currency (OCC) was not using the Treasury training tool.\n\n                                                                                                     Page 2\n\x0c    September 22, 2007. To date, Treasury Directive (TD) 25-08, Safeguarding Against and Responding\n    to the Breach of Personally Identifiable Information, has not been finalized and issued.\n\n3. The Departmental Offices (DO) FDCC Image is Not Fully Implemented (Repeat Finding). At\n   the conclusion of the FY 2008 FISMA Audit, we noted that four (4) of the 12 non-IRS Treasury\n   bureaus and offices, DO, the Financial Crimes Enforcement Network (FinCEN), the OIG, and OTS,\n   had not fully implemented their FDCC baselines. As of the conclusion of the FY 2009 FISMA\n   Evaluation, we noted that only DO still had not implemented the FDCC secure configuration baseline\n   on all workstations in accordance with Treasury Chief information Officer Memorandum 07-14,\n   Implementation of Commonly Accepted Security Configurations for Windows Operating Systems, and\n   OMB Memorandum 07-11, Implementation of Common Security Configurations for IT Systems Using\n   Windows XP or Vista.\n\n4. The Bureau of Public Debt (BPD) is Not Using a Security Content Automation Protocol (SCAP)\n   Validated Tool. As of the conclusion of the FY 2009 FISMA reporting period, BPD was not using a\n   SCAP validated tool to scan the BPD FDCC secure configuration baseline in accordance with OMB\n   Memorandum 08-22, Guidance on the Federal Desktop Core Configuration.\n\n5. FMS Plan of Action and Milestone (POA&M) Estimate to Completion Dates and Milestones\n   Were Not Consistently Updated in Accordance with FMS Policy. Discrepancies were identified\n   in the management of the POA&M weaknesses for three (3) of five (5) systems selected at FMS.\n   Specifically, 11 out of 15 weaknesses sampled across these systems had open weaknesses listed with\n   a status of delayed and were past estimated completion dates.\n\n6. Frequency of Vulnerability Assessment Scanning at BPD is not In Line with Bureau and\n   Treasury Policy. The frequency of vulnerability scanning over a system selected at BPD is not in\n   compliance with Treasury-wide and BPD policy and the control requirements outlined in the system\xe2\x80\x99s\n   security plan. Currently, this system is scanned for vulnerabilities annually, while the minimum\n   required frequency of vulnerability scanning specified by Treasury policy and the control\n   requirements outlined in the system\xe2\x80\x99s security plan is at least quarterly, while BPD bureau-wide IT\n   policy is semiannually.\n\n7. E-Authentication Risk Assessment Was Not Performed at the Financial Crimes Enforcement\n   Network (FinCEN). Treasury has established policies requiring an E-Authentication Risk\n   Assessment for information systems with Web-based identification and authentication mechanisms.\n   We identified one (1) system within our representative subset of non-IRS Treasury systems at\n   FinCEN as having a Web-based identification and authentication mechanism; however, an E-\n   Authentication Risk Assessment was not performed.\n\nOverall, while continued improvements are still needed across five (5) of 12 non-IRS bureaus and offices,\nwe determined that an information security program is in place and is generally consistent with FISMA.\nAll of our findings are included in the results section of this report, which warrants management attention\nand corrective actions. Management concurs with all reported findings and recommendations. The\nOCIO\xe2\x80\x99s written response to our draft report, dated November 2, 2009, is included within this report.\n\n\n\n\n                                                                                                    Page 3\n\x0cBackground\n\nOn December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of 2002 (Public\nLaw 107-347). Title III of the E-Government Act of 2002, commonly referred to as FISMA, focuses on\nimproving oversight of federal information security programs and facilitating progress in correcting\nagency information security weaknesses. FISMA requires federal agencies to develop, document, and\nimplement an agency-wide information security program that provides security for the information and\ninformation systems that support the operations and assets of the agency, including those provided or\nmanaged by another agency, contractor, or other source. FISMA assigns specific responsibilities to\nagency heads and Inspectors Generals (IG) and is supported by security policy promulgated through\nOMB and risk-based standards and guidelines published by NIST.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification, or destruction of information and information systems. FISMA\ndirects federal agencies to report annually to the OMB Director, Comptroller General, and selected\nCongressional committees on the adequacy and effectiveness of agency information security policies,\nprocedures, and practices and compliance with FISMA. In addition, FISMA requires agencies to have an\nannual independent evaluation performed of their information security programs and practices and to\nreport the evaluation results to OMB. FISMA states that the independent evaluation is to be performed by\nthe agency IG or an independent external auditor as determined by the IG.\n\nIn support of agency responsibilities, OMB regularly issues policies through annual reporting instructions\nand other guidelines for agencies to follow in meeting FISMA annual reporting requirements.\nAdditionally, in response to the FISMA mandate and OMB policy, NIST developed standards and\nguidelines as part of a comprehensive risk management framework to assist agencies in establishing an\ninformation security management program. This risk management framework is designed to help\nagencies categorize information and systems, define minimum-security baselines, test security controls,\nauthorize systems into production, and perform monitoring activities. This includes the NIST FIPS 199,\nStandards for Security Categorization of Federal Information and Information Systems, issued in\nFebruary 2004, as the first of two (2) mandatory security standards required by FISMA. NIST FIPS 199\nestablishes security categories for federal agencies to use in categorizing information and information\nsystems based on the potential impact associated with the loss of confidentiality, integrity, or availability\non an agency mission or individual.\n\nNIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, is the\nsecond of the mandatory security standards developed in response to FISMA and provides direction to\nagencies in determining the minimum \xe2\x80\x9cfoundational\xe2\x80\x9d level of security controls to select for protecting the\nconfidentiality, integrity, and availability of information and systems. Specifically, NIST FIPS 200 states\nthat selected set of security controls must include one (1) of three (3) appropriately tailored security\ncontrol baselines from NIST SP 800-53 Rev. 2, which are associated with the designated impact levels of\nthe organizational information systems as determined during the security categorization process. NIST SP\n800-53 Rev. 2 features 17 control families organized into management, operational, and technical control\nareas for protecting federal information and information systems. In accordance with security\nrequirements in NIST FIPS 200, organizations must employ all security controls in the respective security\ncontrol baselines unless specific exceptions are allowed based on the tailoring guidance provided in NIST\nSP 800-53 Rev. 2. This includes (i) selecting an initial set of baseline security controls based on a NIST\nFIPS 199 worst-case, impact analysis; (ii) tailoring the baseline security controls; and (iii) supplementing\nthe security controls, as necessary, based on an organizational assessment of risk. As a companion to\n\n                                                                                                      Page 4\n\x0cNIST SP 800-53 Rev. 2, NIST in July 2008 released SP 800-53A, Guide for Assessing the Security\nControls in Federal Information Systems, which covers both the security control assessment and\ncontinuous monitoring steps in the Risk Management Framework and provides guidance on the security\nassessment process.\n\nTreasury Bureaus and Offices\n\nTreasury is comprised of 14 operating bureaus and offices, including:\n\n\xe2\x80\xa2   Alcohol and Tobacco Tax and Trade Bureau (TTB) \xe2\x80\x93 Responsible for enforcing and administering\n    laws covering the production, use, and distribution of alcohol and tobacco products. TTB also collects\n    excise taxes for firearms and ammunition.\n\xe2\x80\xa2   Bureau of Engraving and Printing (BEP) \xe2\x80\x93 Designs and manufactures U.S. (paper) currency,\n    securities, and other official certificates and awards.\n\xe2\x80\xa2   Bureau of the Public Debt (BPD) \xe2\x80\x93 Borrows the money needed to operate the federal government. It\n    administers the public debt by issuing and servicing U.S. Treasury marketable, savings, and special\n    securities.\n\xe2\x80\xa2   Community Development Financial Institution (CDFI) Fund \xe2\x80\x93 Created to expand the availability\n    of credit, investment capital, and financial services in distressed urban and rural communities.\n\xe2\x80\xa2   Departmental Offices (DO) \xe2\x80\x93 Primarily responsible for policy formulation. The DO is composed of\n    divisions headed by Assistant Secretaries, some of whom report to Under Secretaries.\n\xe2\x80\xa2   Financial Crimes Enforcement Network (FinCEN) \xe2\x80\x93 Supports law enforcement investigative\n    efforts and fosters interagency and global cooperation against domestic and international financial\n    crimes. It also provides U.S. policy makers with strategic analyses of domestic and worldwide trends\n    and patterns.\n\xe2\x80\xa2   Financial Management Service (FMS) \xe2\x80\x93 Receives and disburses all public monies, maintains\n    government accounts, and prepares daily and monthly reports on the status of government finances.\n\xe2\x80\xa2   Internal Revenue Service (IRS) \xe2\x80\x93 Responsible for determining, assessing, and collecting internal\n    revenue in the United States.\n\xe2\x80\xa2   Office of the Comptroller of the Currency (OCC) \xe2\x80\x93 Charters, regulates, and supervises national\n    banks to ensure a safe, sound, and competitive banking system that supports the citizens,\n    communities, and economy of the United States.\n\xe2\x80\xa2   Office of the Inspector General (OIG) \xe2\x80\x93 Conducts and supervises audits and investigations of\n    Treasury programs and operations. The OIG also keeps the Secretary and the Congress fully and\n    currently informed about problems, abuses, and deficiencies in Treasury programs and operations.\n\xe2\x80\xa2   Office of Thrift Supervision (OTS) \xe2\x80\x93 The primary regulator of all Federal and many state-chartered\n    thrift institutions, which include savings banks and savings and loan associations.\n\xe2\x80\xa2   United States Mint (Mint) \xe2\x80\x93 Designs and manufactures domestic, bullion, and foreign coins as well\n    as commemorative medals and other numismatic items. The Mint also distributes U.S. coins to the\n    Federal Reserve banks as well as maintains physical custody and protection of our nation\xe2\x80\x99s silver and\n    gold assets.\n\xe2\x80\xa2   Special Inspector General for the Troubled Asset Relief Program (SIGTARP) \xe2\x80\x93 Has the\n    responsibility to conduct, supervise and coordinate audits and investigations of the purchase,\n    management and sale of assets under the Troubled Asset Relief Program. SIGTARP\'s goal is to\n    promote economic stability by assiduously protecting the interests of those who fund the TARP\n    programs - i.e., the American taxpayers.\n\xe2\x80\xa2   Treasury Inspector General for Tax Administration (TIGTA) \xe2\x80\x93 Conducts and supervises audits\n    and investigations of IRS programs and operations. The TIGTA also keeps the Secretary and the\n\n\n                                                                                                   Page 5\n\x0c   Congress fully and currently informed about problems, abuses, and deficiencies in IRS programs and\n   operations.\n\n\nTreasury Information Security Management and Program\n\n     Treasury OCIO\n\n     The Treasury CIO is responsible for providing Treasury-wide leadership and direction for all areas\n     of information and technology management, as well as the oversight of a number of IT programs.\n     Among these programs is Cyber Security, which has responsibility for the implementation and\n     management of Treasury-wide IT security programs and practices. Through its mission, the\n     Treasury OCIO Cyber Security Program develops and implements IT security policies and provides\n     policy compliance oversight for both unclassified and classified systems managed by each of\n     Treasury\xe2\x80\x99s bureaus. The OCIO Cyber Security Program\xe2\x80\x99s mission focuses on the following areas:\n\n     \xe2\x80\xa2   Cyber Security Policy and Program Performance\n     \xe2\x80\xa2   Cyber Security FISMA Performance and Technical Review\n     \xe2\x80\xa2   Vulnerability Analysis\n     \xe2\x80\xa2   Configuration and Planning\n     \xe2\x80\xa2   Cyber Critical Infrastructure Protection (CIP)\n     \xe2\x80\xa2   Treasury Computer Security Incident Response Capability (TCSIRC)\n     \xe2\x80\xa2   Cyber Security Sub-Council (CSS) of the Treasury CIO Council.\n\n     The Treasury CIO has tasked the Associate CIO for Cyber Security (ACIOCS) with the\n     responsibility of managing and directing the OCIO\xe2\x80\x99s Cyber Security program, as well as ensuring\n     compliance with statutes, regulations, policies, and guidance. The ACIOCS and the Cyber Security\n     program have established Treasury Directive Publication (TD P) 85-01, Treasury Information\n     Technology Security Program, as the Treasury-wide IT security policy to provide for information\n     security for all information and information systems that support the mission of the Treasury,\n     including those operated by another federal agency or contractor on behalf of Treasury. In addition,\n     as OMB periodically releases updates/clarifications of FISMA or as NIST releases updates to\n     publications, the ACIOCS and the Cyber Security program have responsibility to interpret and\n     release updated policy for Treasury. The ACIOCS and the Cyber Security program are also\n     responsible for promoting and coordinating a Treasury-wide IT security program, as well as\n     monitoring and evaluating the status of Treasury\xe2\x80\x99s IT security posture and compliance with statutes,\n     regulations, policies, and guidance. Lastly, the ACIOCS has the responsibility of managing\n     Treasury\xe2\x80\x99s IT CIP program for Treasury information technology assets.\n\n     Bureau OCIO\n\n     Bureau OCIO organizations are managed by a bureau CIO. The bureau CIOs first have the\n     responsibility of managing the IT security program for the bureau, as well as advising the bureau\n     head on significant issues related to the bureau IT security program. Bureau CIOs also have the\n     responsibility for overseeing the development of procedures that comply with Treasury OCIO\n     policy and guidance and federal statutes, regulations, policy, and guidance. The bureau Chief\n     Information Security Officers are tasked by the bureau CIOs to serve as the central point of contact\n     for the bureau\xe2\x80\x99s IT security program, as well as to develop and oversee the bureau\xe2\x80\x99s IT security\n\n\n\n                                                                                                  Page 6\n\x0c      program. This includes the development of policies, procedures, and guidance required to\n      implement and monitor the bureau IT security program.\n\n      Treasury \xe2\x80\x93 Bureau OCIO Collaboration\n\n      The Treasury OCIO has established the Treasury CIO CSS, which is chaired by the ACIOCS. The\n      CSS serves as a mechanism for obtaining bureau-level input and advises on new policies, Treasury-\n      wide IT security activities, and performance measures. The CSS also provides a means for IT\n      security-related information sharing among bureaus. Included on the CSS are representatives from\n      the OCIO, bureau CIO organizations, as well as the OIG \xe2\x80\x93 Office of IT Audits and TIGTA \xe2\x80\x93 Office\n      of Audits.\n\nTreasury Privacy and Data Protection Program\n\nTreasury established a department-wide privacy program to protect the PII it manages from unauthorized\nuse, access, disclosure, or sharing and to safeguard associated information systems from unauthorized\naccess, modification, disruption, or destruction. Key components of the Treasury\xe2\x80\x99s privacy program\ninclude, but are not limited to:\n\n\xe2\x80\xa2 The role of Chief Privacy Officer (CPO) and Senior Agency Official for Privacy is held by the\n  Assistant Secretary for Management/Chief Financial Officer.\n\n\xe2\x80\xa2   The Office of Privacy and Treasury Records (OPTR) was established on March 24, 2008 as the\n    program management office that supports the Treasury CPO in developing and implementing privacy\n    requirements including policies and procedures for managing and protecting PII. OPTR also provides\n    privacy and data protection programs oversight of all Treasury bureaus and offices in carrying out\n    directives and policies developed by OPTR. Additionally, OPTR is responsible for establishing a\n    privacy awareness program disseminated to bureaus regarding Treasury employee privacy\n    responsibilities. OPTR includes the Office of Privacy and Civil Liberties, Office of Disclosure\n    Services, Treasury Records, Treasury Library, and the Orders and Directives Program.\n\n\xe2\x80\xa2   Each of the 14 Treasury bureaus and offices has also established a bureau privacy officer. The role of\n    the bureau privacy officer is to act as a liaison between the bureau\xe2\x80\x99s system owners and the OPTR and\n    the CPO to ensure that privacy and data protection programs are operating effectively at the bureau\n    level. This includes performance of Privacy Threshold Analysis and Privacy Impact Assessments\n    (PIA) on all information systems. Bureau privacy officers work with the system owners to analyze the\n    data being processed in the system and make a determination if the data contains PII.\n\n\n\n\n                                                                                                   Page 7\n\x0cObjective, Scope, and Methodology\n\nThe objectives of our evaluation were to determine, as of June 30, 2009, whether non-IRS Treasury\nbureaus had implemented:\n\n\xe2\x80\xa2   An information security program, consisting of plans, policies, procedures, and security controls\n    consistent with FISMA 8\n\xe2\x80\xa2   The security controls catalog contained in the NIST SP 800-53 Rev. 2. 9\n\nTo accomplish our objectives, we evaluated controls in accordance with applicable legislation,\nPresidential directives, OMB policy, and NIST standards and guidelines. We reviewed the Treasury\ninformation security program from both the Department-level perspective for Treasury-wide program\nlevel controls and Bureau-level implementation perspective, including NIST SP 800-53 Rev. 2 minimum\nsecurity control baselines established by NIST FIPS 200. We considered each area above to reach\nconclusions with regard to Treasury\xe2\x80\x99s information security program and practices.\n\nDepartment Level\n\nTo gain an overall enterprise-level understanding, we assessed management, policies, and guidance for\nthe overall Treasury-wide information security program per requirements defined in FISMA and\nOMB/NIST standards, as well as guidelines developed in response to FISMA. This included program\ncontrols applicable to information security governance, security and contingency planning, certification\nand accreditation, incident response, configuration management, and security awareness and training.\n\nBureau Level\n\nAs required by FISMA, we also performed tests for a representative subset of 18 information systems out\nof a total population of 121 non-IRS major applications and general support systems as of April 2, 2009\nto determine whether bureaus were effective in implementing Treasury\xe2\x80\x99s security program in meeting\nminimum security standards to protect information and information systems (see Appendix II detailing\nour system selection approach). The subset of systems encompassed systems managed and operated by 12\nof 14 Treasury bureaus and offices, excluding the IRS.\n\nA key component of assessing controls for the representative subset of systems was to assess\nimplementation of minimum security control requirements per guidance provided from the NIST SP 800-\n53 Rev. 2 for a selection of security controls across five (5) of the 18 systems within the representative\nsubset of non-IRS Treasury information systems selected for FISMA reporting. As shown in Table 1,\nNIST SP 800-53 Rev. 2 features 17 control families that are organized into management, operational, and\ntechnical control areas for protecting federal information and information systems.\n\n\n\n\n8\n  This objective includes the completion of the OMB FY 2009 FISMA Reporting Template for IGs,\nwhich is presented in Appendix I of this report.\n9\n  The conclusion for this objective is based on (five) 5 of the 18 systems selected in the representative\nsubset of Treasury systems with a NIST FIPS 199 system impact level of Moderate.\n\n                                                                                                   Page 8\n\x0c                          Table 1: Security Control Classes and Families 10\n               Security Control Class                Security Control Family\n                                       Risk Assessment\n                                       Planning\n              Management               System and Services Acquisition\n                                       Certification, Accreditation, and Security\n                                       Assessments\n                                       Personnel Security\n                                       Physical and Environmental Protection\n                                       Contingency Planning\n                                       Configuration Management\n              Operational              Maintenance\n                                       System and Information Integrity\n                                       Media Protection\n                                       Incident Response\n                                       Awareness and Training\n                                       Identification and Authentication\n                                       Access Control\n              Technical\n                                       Audit and Accountability\n                                       System and Communications Protection\n\nOur criteria for selecting controls within each system to review were based on the following:\n\n\xe2\x80\xa2     Highly volatile controls that have the potential to affect a significant number of information systems,\n      such as common controls or those critical to a specific system which are likely to change over time.\n\xe2\x80\xa2     Specific high-risk controls that are crucial to the protection of a system were considered for selection\n      as part of the testing requirement. These are not necessarily the same as highly volatile controls and\n      may or may not be POA&M items.\n\xe2\x80\xa2     Testing of a system\xe2\x80\x99s security-relevant changes that occur out of the certification and accreditation\n      cycle but do not necessarily constitute a major change necessitating a new certification and\n      accreditation.\n\nOur methodology for the assessment of the selected controls was based on the recommended guidance in\nNIST SP 800-53A.\n\nOther Considerations\n\nIn performing our control evaluations, we interviewed key Treasury OCIO personnel who had significant\ninformation security responsibilities as well as personnel across the 12 non-IRS bureaus and offices. We\nalso evaluated Treasury and bureaus\xe2\x80\x99 policies, procedures, and guidelines. Lastly, we evaluated selected\nsecurity-related documents and files, including certification and accreditation packages, configuration\nassessment results, IT service contracts, training records, and strategic and annual performance plans.\n\n\n\n\n10\n     Source: NIST SP 800-53 Rev. 2\n\n                                                                                                       Page 9\n\x0cWe performed our evaluation at Treasury\xe2\x80\x99s headquarters offices in Washington, D.C., and bureau\nlocations in Washington, D.C.; Hyattsville, Maryland; McLean, Virginia; Parkersburg, West Virginia;\nand Richmond, Virginia during the period of March 23, 2009 through November 2, 2009. During our\nevaluation, we met with Treasury management to discuss our preliminary conclusions. This evaluation\nwas conducted in accordance with the Council of Inspectors General on Integrity and Efficiency \xe2\x80\x93 Quality\nStandards for Inspections and the General Standards contained within GAGAS, issued by the Comptroller\nGeneral of the United States.\n\nApplicable Criteria\n\nOur approach to this FISMA evaluation is based on federal information security criteria developed by\nNIST and OMB. NIST SPs provide guidelines that are considered essential to the development and\nimplementation of agencies\xe2\x80\x99 security programs. 11 The following is a listing of the criteria used in the\nperformance of the FY 2009 FISMA Evaluation:\n\n\xe2\x80\xa2    OMB Circular A-130, Management of Federal Information Resources\n\xe2\x80\xa2    NIST FIPS 199, Standards for Security Categorization of Federal Information and Information\n     Systems\n\xe2\x80\xa2    NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems\n\xe2\x80\xa2    NIST SP:\n     o 800-16, Information Technology Security Training Requirements: A Role- and Performance-\n         Based Model\n     o 800-18 Rev. 1, Guide for Developing Security Plans for Information. Technology System\n     o 800-30, Risk Management Guide for Information Technology Systems\n     o 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems\n     o 800-39, Managing Risk from Information Systems: An Organizational Perspective\n     o 800-34, Contingency Planning Guide for Information Technology Systems\n     o 800-53 Rev. 2, Recommended Security Controls for Federal Information Systems\n     o 800-53A, Guide for Assessing the Security Controls in Federal Information Systems\n     o 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories\n     o 800-61, Computer Security Incident Handling Guide\n     o 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists\n         Users and Developers\n\xe2\x80\xa2    OMB Memoranda\n      o 04-04, E-Authentication Guidance for Federal Agencies\n      o 04-25, FY 2004 Reporting Instructions for the Federal Information Security Management Act\n      o 07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating\n          Systems\n      o 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable\n          Information\n      o 07-18, Ensuring New Acquisitions Include Common Security Configurations\n\n11\n   Note (per OMB instructions): While agencies are required to follow NIST standards and guidance in\naccordance with OMB policy, there is flexibility within NIST\xe2\x80\x99s guidance documents (specifically in the\n800 series) in how agencies apply the guidance. However, NIST FIPS are mandatory. Unless specified by\nadditional implementing policy by OMB, guidance documents published by NIST generally allow\nagencies latitude in their application. Consequently, the application of NIST guidance by agencies can\nresult in different security solutions that are equally acceptable and compliant with the guidance.\n\n\n\n                                                                                                Page 10\n\x0co   08-22, Guidance on the Federal Desktop Core Configuration (FDCC)\no   09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act\n    and Agency Privacy Management\n\n\n\n\n                                                                                     Page 11\n\x0cResults\n\nDuring our FY 2009 FISMA evaluation, we noted that the 12 non-IRS Treasury bureaus and offices\ncontinue to make progress in improving information security controls and practices. 12 Following our FY\n2008 FISMA Audit, Treasury has continued to strengthen its inventory reporting processes by more\neffectively using the TAF system to serve as the consolidated FISMA inventory system of record for the\nTreasury. 13 In addition, Treasury has implemented a Treasury-wide training tool to facilitate the uniform\ndelivery of security awareness training and specialized security training. As of the close of fieldwork, 11\nof the 12 non-IRS bureaus and offices were using this tool 14 . This tool also has mechanisms to allow\nbureau-level CIOs and Treasury OCIO Cyber Security Program personnel to track compliance with IT\ntraining requirements. Lastly, Treasury continues to implement NIST SP 800-70 compliant secure\nconfigurations baselines across all non-FDCC platforms. However, based on our FY 2009 FISMA\nevaluation, we noted seven (7) areas needing improvement. These areas are:\n\n1. NIST FIPS 200 minimum security control baselines not sufficiently tested or implemented.\n2. Breach notification policy required by OMB Memorandum 07-16 has not been not finalized and\n   issued.\n3. DO FDCC image not fully implemented.\n4. BPD is not using a security content automation protocol validated tool.\n5. FMS POA&M estimate to completion dates and milestones were not consistently updated in\n   accordance with FMS policy.\n6. Frequency of Vulnerability Assessment Scanning at BPD is not In Line with Bureau and Treasury\n   Policy.\n7. E-Authentication risk assessment was not performed at FinCEN.\n\nTreasury should take additional steps to ensure that its information security risk management program and\npractices fully comply with applicable NIST standards and guidelines, and FISMA requirements.\n\n\n\n\n12\n   The FISMA evaluation of the IRS is performed by TIGTA.\n13\n   TAF is an enterprise tool for aggregating data reported by Treasury bureaus to gauge how well the\nDepartment is complying with key information security practices and controls.\n14\n   Only the Office of the Comptroller of Currency (OCC) was not using the Treasury training tool.\n\n                                                                                                  Page 12\n\x0c      Findings\n\n      1. NIST FIPS 200 Minimum Security Control Baselines Not Sufficiently Tested or\n         Implemented (Repeat Finding)\n          Treasury has continued to make progress in addressing information security risk management\n          requirements of FISMA and NIST, including the certification and accreditation of information\n          systems and the implementation of minimum security controls outlined in NIST FIPS 200 and\n          NIST SP 800-53 Rev. 2. The majority of bureaus evaluated have made progress in implementing\n          the NIST SP 800-53 Rev. 2 minimum security control baseline within systems under their\n          controls. In addition, the OCIO Cyber Security Program has built a program to oversee the\n          certification and accreditation efforts of all Treasury bureaus. However, we noted that the\n          minimum security controls required by NIST FIPS 200 were not tested or fully implemented for\n          three systems within our representative subset of non-IRS Treasury information systems and one\n          system previously identified during the FY 2008 FISMA Audit. Specifically, for the three (3)\n          information systems reviewed and one system that was identified to have a deficiency in our FY\n          2008 FISMA Audit report, we noted:\n\n          \xe2\x80\xa2   Two (2) systems at FMS operating under a full authority to operate at the conclusion of the\n              FY 2009 FISMA reporting period 15 were identified as having incomplete testing over the full\n              NIST SP 800-53 Rev. 2 minimum security control baselines. In addition, a full risk\n              assessment, per NIST SP 800-30, was not performed over either system as part of these\n              efforts. Due to limited resource and time constraints, FMS made a risk-based decision to give\n              priority to the assessment of the NIST SP 800-53 Rev. 2 technical security control families\n              during the recertification of each system. FMS management decided to base the initial\n              reaccreditation on the results of these technical testing activities alone due to the overarching\n              need to keep these systems operational. The certification letters of both systems documented\n              this scope limitation. FMS management then intended to continue with the full recertification\n              and accreditation of each system, with the goal of reissuing a full authority to operate during\n              the FY 2010 FISMA reporting cycle. FMS created a weakness in the POA&M for one (1)\n              system to complete the testing of the NIST SP 800-53 Rev. 2 management and operational\n              security control families by September 30, 2009; however, a POA&M weakness was not\n              created for the second system. The complete Security Assessment Report for this second\n              system, which included a risk assessment and testing of all management, operational, and\n              technical controls in the NIST SP 800-53 Rev. 2 security baseline for a system with a FIPS\n              199 system impact level of High, had not been finalized as of the conclusion of fieldwork.\n              FMS was planning to reissue a full authority to operate for this system once the Security\n              Assessment Report had been completed, as well as complete the full recertification of the first\n              system by September 30, 2009.\n\n              By not performing a risk assessment, FMS management may be unaware of the likelihood and\n              impact of the threats and related vulnerabilities posed to FMS information and information\n              systems. Subsequently, FMS may not have the appropriate controls in place to mitigate these\n              threats and related vulnerabilities.\n\n              By not fully testing the minimum security control baseline according to NIST FIPS 200 and\n              NIST SP 800-53 Rev. 2, the confidentiality, integrity, and availability of sensitive information\n\n\n15\n     The FY 2009 FISMA reporting period is July 1, 2008 through June 30, 2009.\n\n                                                                                                      Page 13\n\x0c    systems that support the mission of the FMS under the control of both systems are susceptible\n    to compromise.\n\n\xe2\x80\xa2   (Repeat Finding) During FY 2008, OTS reorganized the FISMA system inventory into\n    functional IT units. The authorities to operate for each system expired during the FY 2007\n    FISMA reporting period. OTS did not re-perform the certification and accreditation of each\n    system due to a planned process to redefine the FISMA system inventory, which occurred in\n    the FY 2008 FISMA reporting period.\n\n    Because of this reorganization and the subsequent certification and accreditation efforts, OTS\n    management noted that the full NIST FIPS 200 and NIST SP 800-53 Rev. 2 minimum security\n    control baseline had not been implemented for one system selected as part of the FY 2008\n    FISMA audit representative subset of non-IRS Treasury systems. Specifically, the security test\n    and evaluation of this system identified that several security controls outlined in the Moderate\n    baseline were not in place and an Interim Authority to Operate (IATO) was issued on June 27,\n    2008 for a period of 180 days. According to OTS management, the designated approving\n    authority assessed the risks presented as part of the certification and accreditation process, then\n    granted this system an IATO until December 31, 2008. During the FY 2009 FISMA\n    Evaluation, many of these security weaknesses in this system remained open, causing OTS\n    management to issue an extension to the IATO on June 25, 2009 to September 25, 2009.\n\n    As part of the FY 2009 FISMA Evaluation, a second OTS system was selected for this FY\n    2009 FISMA Evaluation. This second system inherits a number of security controls from the\n    system selected as part of the FY 2008 FISMA Audit. Because of this, the second system also\n    remained in an IATO status as of the end of the FY 2009 FISMA reporting period. This\n    second system was also issued an extension of the IATO on June 25, 2009 to September 25,\n    2009 by OTS management.\n\n    At the conclusion of the FY 2009 FISMA reporting period, both systems identified above were\n    not fully accredited. OTS is currently in the process of resolving the identified security\n    weaknesses with the intent of obtaining a full authority to operate for both systems early in the\n    FY 2010 FISMA reporting period. OTS management had developed a POA&M to track the IT\n    security weaknesses identified during the certification and accreditation process. However,\n    neither system was fully accredited at the conclusion of the FY 2009 FISMA reporting period.\n\n    The confidentiality, integrity, and availability of sensitive or personally identifiable\n    information contained within either OTS systems could be susceptible to compromise when a\n    minimum security control baseline has not been fully implemented.\n\nWe recommend that FMS management:\n\n1. Complete the full certification and accreditation of the first FMS system identified above by\n   the estimated completion date being tracked in the POA&M.\n\n2. Finalize the security assessment reporting process and reissue the full authority to operate for\n   the second FMS system identified above.\n\nWe recommend that OTS management:\n\n\n\n                                                                                              Page 14\n\x0c   3. Continue with plans to resolve the one (1) remaining high-risk weakness identified during the\n      certification and accreditation process and achieve a full authority to operate during the FY\n      2010 FISMA reporting period.\n\n2. Breach Notification Policy Required by OMB Memorandum 07-16 has not been not\n   Finalized and Issued (Repeat Finding)\n\n   OMB Memorandum 07-16, issued on May 22, 2007, required that a policy be developed for the\n   PII breach notifications. OMB Memorandum 07-16 required that this policy be issued within 120\n   days after the date of the memorandum, September 22, 2007. To date, TD 25-08 has not been\n   finalized. According to the OPTR management, several major rewrites of TD 25-08 occurred\n   while the document was in the clearance process, causing delays in implementation. At the\n   conclusion of our FY 2009 FISMA Evaluation fieldwork, OPTR management stated that TD 25-\n   08 has been re-written and is awaiting formal clearance process. The planned implementation date\n   is December 31, 2009.\n\n   Without formal policy related to the collection, use, sharing, disclosure, transfer, and storage of\n   PII in place at the Treasury, information in identifiable form may not be adequately protected.\n\n   The recommendation remains open from FY 2008.\n\n3. DO FDCC Image Not Fully Implemented\n\n   At the conclusion of the FY 2008 FISMA Audit, we noted that four (4) of the 12 non-IRS\n   Treasury bureaus and offices, DO, the Financial Crimes Enforcement Network (FinCEN), the\n   OIG, and OTS, had not fully implemented their FDCC baselines. As of the conclusion of the FY\n   2009 FISMA Evaluation, we noted that only DO still had not implemented the FDCC secure\n   configuration baseline on all workstations in accordance with Treasury Chief information Officer\n   Memorandum 07-14, Implementation of Commonly Accepted Security Configurations for\n   Windows Operating Systems, and OMB Memorandum 07-11, Implementation of Common\n   Security Configurations for IT Systems Using Windows XP or Vista.\n\n   DO IT management stated that DO is manually applying their FDCC image to all headquarters\n   workstations to provide end users training on the new FDCC desktop configurations. As of the\n   end of the FY 2009 FISMA reporting period, DO has implemented their FDCC image on about\n   80% of headquarters workstations and expects to be completed by November 15, 2009. DO IT\n   management is tracking the progress of this weakness via a POA&M weakness.\n\n   By not applying the FDCC secure baseline configuration requirements for Microsoft\xc2\xae Windows\xc2\xae\n   XP, DO information systems are under increased risk of exposure relative to the confidentiality,\n   integrity, and availability of sensitive information and information systems controlled by these\n   operating systems.\n\n   We recommend that DO management:\n\n    4. Fully implement the DO FDCC secure baseline configurations on all headquarters end-user\n       workstations by the due date outlined in the POA&M.\n\n4. BPD Not Using a Security Content Automation Protocol Validated Tool\n\n\n                                                                                             Page 15\n\x0c   As of the conclusion of the FY 2009 FISMA reporting period, BPD was not using a SCAP\n   validated tool to scan the BPD FDCC secure configuration baseline in accordance with OMB\n   Memorandum 08-22, which requires that agencies use SCAP tools to scan FDCC configurations\n   and approved configuration deviations. BPD had been using a freeware version of a SCAP\n   validated tool. However, BPD management was not satisfied with the quality of the results the\n   tool provided and discontinued using it. BPD then began manually validating their FDCC image\n   against the NIST FDCC secure configuration baseline. BPD has since purchased a license for a\n   second SCAP validated tool; however, as of the close of the FY 2009 FISMA reporting period this\n   tool was not implemented.\n\n   By not using a SCAP tool to validate the implementation of the FDCC secure configuration\n   baseline, BPD may be unable ensure continued compliance with FDCC.\n\n   We recommend that BPD management:\n\n    5. Continue with efforts to implement a SCAP-validated tool.\n\n    6. Utilize a SCAP-validated tool to monitor the BPD FDCC secure configuration baseline\n       image.\n\n5. FMS POA&M Estimate to Completion Dates and Milestones Were Not Consistently\n   Updated in Accordance with FMS Policy.\n\n   Treasury has developed policies and procedures for the development and maintenance of\n   POA&Ms. In addition, Treasury has implemented the TAF tool to serve as a central repository\n   for POA&M weakness maintenance and tracking. Through this tool, the OCIO Cyber Security\n   Program is also able to oversee the bureau-level management and tracking of the POA&M process\n   and perform quality control reviews of the POA&M process. However, discrepancies in the\n   management of the POA&M process were identified at FMS. Specifically, for three (3) of the five\n   (5) FMS systems selected, estimate to complete dates were not consistently managed in\n   accordance with FMS policy and TDP 85-01. Of the 15 weaknesses sampled out of a population\n   of 222 across these three (3) FMS systems, 11 have estimate to complete dates that have passed\n   with no actual completion date listed.\n\n   According to FMS, the System Owner and Information System Security Officer of each of these\n   systems inadvertently neglected to update the estimate to complete date or milestones after they\n   had passed.\n\n   By not consistently managing the estimate to complete dates and milestones being tracked on the\n   POA&M, FMS\xe2\x80\x99s ability to correct IT security weaknesses in a timely manner may be impaired.\n\n   We recommend that FMS management:\n\n    7. Update the estimate to complete dates and milestones for each of the identified weaknesses to\n       reflect the status.\n\n    8. Provide additional oversight across all FMS systems to ensure that the POA&M process is\n       managed in accordance with FMS, Treasury, and OMB policy and guidance.\n\n\n                                                                                            Page 16\n\x0c6. Frequency of Vulnerability Assessment Scanning at BPD is not In Line with Bureau and\n   Treasury Policy.\n\n   The frequency of vulnerability scanning over one (1) system selected at BPD is not in compliance\n   with Treasury-wide policy and the control requirements outlined in the system\xe2\x80\x99s security plan.\n   Currently, this system is scanned for vulnerabilities annually. The minimum required frequency\n   of vulnerability scanning specified by Treasury policy and the control requirements outlined in the\n   system\xe2\x80\x99s security plan is at least quarterly, however BPD bureau-wide IT policy is semiannually.\n   A recent vulnerability assessment performed by BPD on the infrastructure that supports this\n   system identified potential high-risk vulnerabilities. At the time of the evaluation, BPD was\n   performing follow-up efforts to evaluate raw scan results and determine if potential vulnerabilities\n   were legitimate threats or false positives.\n\n   BPD IT management has not been able to dedicate the resources necessary to conduct\n   vulnerability scans on a more frequent basis. BPD IT management has identified this as an IT\n   security weakness and is tracking it as a weakness in the POA&M of the BPD general support\n   system with an estimated completion date of February 1, 2010.\n\n   By not performing regular vulnerability scanning on major applications, BPD IT management\n   may be unaware of all of the vulnerabilities present within the information system. A threat agent,\n   either internal or external, could then compromise the vulnerabilities on these systems and affect\n   the confidentiality, integrity, or availability of the information system and the information\n   contained within.\n\n   We recommend that BPD management:\n\n    9. Continue follow-up efforts to resolve of all potential vulnerabilities identified during the\n       recent vulnerability assessment.\n\n    10. Review and update internal BPD bureau-wide IT policies as appropriate.\n\n    11. Conduct vulnerability scans on at least a quarterly-basis as required by TDP 85-01.\n\n7. E-Authentication Risk Assessment Was Not Performed at FinCEN\n\n   Treasury has established a policy requiring the performance of an E-Authentication Risk\n   Assessment for information systems with Web-based identification and authentication\n   mechanisms. One (1) system within our representative subset of non-IRS Treasury systems at\n   FinCEN was identified as having Web-based identification and authentication mechanisms;\n   however, an E-Authentication Risk Assessment was not performed. An external accreditation\n   agent informed FinCEN that this system did not require an E-Authentication Risk Assessment\n   since it did not process financial transactions, even though the system has a web-based\n   authentication mechanism. OMB Memorandum 04-04 requires that an E-Authentication Risk\n   Assessment be performed on any information system performing remote authentication of human\n   users of Federal agency IT systems for the purposes of conducting government business\n   electronically. OMB Memorandum 04-04 does not limit E-Authentication Risk Assessments to\n   systems processing financial transactions.\n\n   By not performing an E-Authentication Risk Assessment, FinCEN may be unable to provide an\n   appropriate level of assurance in the protection of authentication information.\n\n                                                                                              Page 17\n\x0cWe recommend that FinCEN management:\n\n12. Perform an E-Authentication Risk Assessment for the one (1) system selected at FinCEN for\n    the FY 2009 FISMA Evaluation.\n\n\n\n\n                                                                                      Page 18\n\x0cConclusions\n\nAs part of the FISMA evaluation of the non-IRS systems at Treasury, we assessed the effectiveness of\nTreasury\xe2\x80\x99s information security programs and practices and the implementation of the security control\ncatalog contained in NIST SP 800-53 Rev. 2. Overall, while continued improvements are still needed\nacross five (5) of 12 non-IRS bureaus and offices, we determined that an information security program is\nin place and is generally consistent with FISMA.\n\n\n\n\n                                                                                                Page 19\n\x0cManagement Response to Draft Report\n\nThe following is the OCIO\xe2\x80\x99s response to the draft FY 2009 FISMA Evaluation report, dated November\n2nd, 2009.\n\n\n\n\n                                                                                         Page 20\n\x0c                                        November 2, 2009\n\n\nMEMORANDUM FOR MARLA A. FREEDMAN\n\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0ASSISTANT INSPECTOR GENERAL FOR AUDIT\n\xc2\xa0\nFROM:                  Michael D. Duffy /s/\n                       Deputy Assistant Secretary for Information Systems\n                       and Chief Information Officer               \xc2\xa0 \xc2\xa0\n                   \xc2\xa0\n                       Melissa Hartman /s/\n                       Acting Deputy Assistant Secretary for Privacy and Treasury Records\n\xc2\xa0\xc2\xa0\xc2\xa0\nSUBJECT:\xc2\xa0 \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0Management Response to Draft Evaluation Report-The Department of the\n                    Treasury Federal Information Security Management Act Fiscal Year 2009\n                    Evaluation\n\xc2\xa0\nThank you for the opportunity to review and comment on the draft report entitled: \xe2\x80\x9cThe\nDepartment of the Treasury Federal Information Security Management Act Fiscal Year 2009\nEvaluation." We are pleased that the evaluation identifies no significant deficiencies or\nmanagement challenges and acknowledges Treasury\'s continued efforts to advance its Federal\nInformation Security Management Act (FISMA) processes. The Department agrees with all\nfindings and recommendations.\n\nWe appreciate the Office of Inspector General\xe2\x80\x99s recognition of our commitment to strengthen the\ninventory reporting process and implement a uniform delivery of security awareness and privacy\nawareness training. In an effort to continuously improve the Department\'s information\ntechnology security program, the Office of the Chief Information Officer has implemented the\nTrusted Agent FISMA (TAF) Certification and Accreditation module and continued efforts to\nupgrade TAF, the FISMA reporting tool, which aids in the inventory reporting process.\n\nThe Office of the Deputy Assistant Secretary for Privacy and Treasury Records has strengthened\nits privacy program by signing Treasury Directive Publication (TD P) 25-07, \xe2\x80\x9cPrivacy Impact\nAssessment Manual,\xe2\x80\x9d providing guidance to ensure appropriate measures are followed regarding\nthe proper use and protection of Personally Identifiable Information collected within Treasury\xe2\x80\x99s\ninformation systems.\n\nWe remain committed to sustaining an evolving IT security program, and providing appropriate\nprotection of critical information throughout the Department. Should you have any questions\npertaining to this response, please do not hesitate to contact Michael Duffy at 202-622-1200 or\nMelissa Hartman at 202-622-5710.\n\nAttachment\n\x0c                                                   \xc2\xa0\n\n\xc2\xa0\n\n\n                   MANAGEMENT RESPONSE TO TREASURY OIG DRAFT\n                              RECOMMENDATIONS\n\nOIG Finding 1: NIST Federal Information Processing Standard 200 Minimum Security Control\nBaselines Were Not Sufficiently Tested or Implemented (Repeat Finding)\n\nOIG Recommendation 1: For FMS, we recommend that management: Complete full certification and\naccreditation of the first FMS system identified by the estimated completion date being tracked in the\nPOA&M.\n\nTreasury Response: Treasury concurs with this recommendation.\nFMS has completed a full Certification and Accreditation of System (C&A) 1 as identified in the\nfindings. This action was completed by September 29, 2009 and has met the POA&M target date of\nSeptember 30, 2009.\n\nResponsible Official: Charles Simpson, FMS, Chief Information Officer\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nOIG Recommendation 2: For FMS, we recommend that management: Finalize the security assessment\nreporting process and reissue the full authority to operate for the second FMS system identified.\n\xc2\xa0\nTreasury Response: Treasury concurs with this recommendation.\nFMS has completed a full C&A of system 2 as identified in the finding. This action is complete as of\nSeptember 29, 2009 and met the POA&M target date of October 31, 2009.\n\nResponsible Official: Charles Simpson, FMS, Chief Information Officer\n\n\n\nOIG Recommendation 3: For OTS, we recommend that management: Continue with plans to resolve\nthe one (1) remaining high-risk weakness identified during the certification and accreditation process\nand achieve a full authority to operate during the FY 2010 FISMA reporting period.\n\nTreasury Response: Treasury concurs with this recommendation.\nIn the FY2010 FISMA reporting period, OTS will pursue their C&A plans to resolve security\nweaknesses to achieve full Authority to Operate. Target completion date is December 31, 2009.\n\nResponsible Official: Wayne Leiss, OTS, Chief Information Officer\n\n\n\n\n                                                   1\n\n\xc2\xa0\n\x0c                                                     \xc2\xa0\n\n\xc2\xa0\n\nOIG Finding 2: Breach Notification Policy Required by OMB Memorandum 07-16 has not been\nFinalized and Issued (Repeat Finding)\xc2\xa0\nThe recommendation remains open from FY 2008.\n\nTreasury Response: Treasury concurs.\nTreasury Directive (TD) 25-08, \xe2\x80\x9cSafeguarding Against, and Responding to, the Breach of Personally\nIdentifiable Information (PII),\xe2\x80\x9d is in the final clearance stage and will be signed by December 31, 2009,\nin accordance with the Planned Corrective Action. This Treasury-wide policy provides guidelines for\nsafeguarding privacy-related information as well as the process for responding to any breaches.\n\nResponsible Official: Melissa Hartman, Acting Deputy Assistant Secretary for Office of Privacy and\nTreasury Records\n\n\n\nOIG Finding 3: DO FDCC Image Not Fully Implemented\n\nOIG Recommendation 4: For DO, we recommend that management: Fully implement the DO FDCC\nsecure baseline configurations on all headquarters end-user workstations by the November 15, 2009 due\ndate outlined in the POA&M.\n\nTreasury Response: Treasury concurs with this recommendation.\nIn the FY2010 FISMA reporting period, DO has implemented FDCC secure configuration baselines on\nall headquarters end-user workstations. Target completion date is November 15, 2009.\n\nResponsible Official: Diane Litman, Acting Associate CIO for Infrastructure Operations\n\n\n\nOIG Finding 4: BPD Not Using a Security Content Automation Protocol Validated Tool\n\nOIG Recommendation 5: For BPD, we recommend that management: Continue with efforts to\nimplement a SCAP-validated tool.\n\nTreasury Response: Treasury concurs with this recommendation.\nIn August 2009, a SCAP-validated tool from Tenable Security System was procured and implemented.\nA scan of the network was completed on September 25, 2009.\n\nResponsible Official: Kim McCoy, BPD, Assistant Commissioner, Office of Information Technology\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n                                                    2\n\n\xc2\xa0\n\x0c                                                     \xc2\xa0\n\n\xc2\xa0\n\nOIG Recommendation 6: For BPD, we recommend that management: Utilize a SCAP-validated tool\nto monitor the BPD FDCC secure configuration baseline image.\n\xc2\xa0\nTreasury Response: Treasury concurs with this recommendation.\nThe FDCC secure baseline image will be monitored using the SCAP-validated tool on an ongoing basis\nto ensure compliance with the FDCC secure configuration baseline. A scan of the network was\ncompleted on September 25, 2009.\n\nResponsible Official: Kim McCoy, BPD, Assistant Commissioner, Office of Information Technology\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\nOIG Finding 5: FMS POA&M Estimate to Completion Dates and Milestones Were Not\nConsistently Updated in Accordance with FMS Policy.\n\nOIG Recommendation 7: For FMS, we recommend that management: Update the estimate to\ncomplete dates and milestones for each of the identified weaknesses to reflect the status.\n\nTreasury Response: Treasury concurs with this recommendation.\nIn the FY2010 FISMA reporting period, FMS will update the estimate to completion dates and\nmilestones for each identified weakness to reflect status. Target completion date is April 30, 2010.\n\nResponsible Official: Charles Simpson, FMS, Chief Information Officer\n\n\n\nOIG Recommendation 8: For FMS, we recommend that management: Provide additional oversight\nacross all FMS systems to ensure that the POA&M process is managed in accordance with FMS,\nTreasury, and OMB policy and guidance.\n\nTreasury Response: Treasury concurs with this recommendation.\nFMS management will review its oversight and guidance process to ensure the FISMA process is\nmanaged in accordance with all policies and guidance published by FMS, Treasury, and OMB policy\nguidance. Based on this review, FMS will implement changes deemed necessary. Target completion\ndate is April 30, 2010.\n\nResponsible Official: Charles Simpson, FMS, Chief Information Officer\n\xc2\xa0\n\xc2\xa0\n\xc2\xa0\n\n\n                                                    3\n\n\xc2\xa0\n\x0c                                                      \xc2\xa0\n\n\xc2\xa0\n\nOIG Finding 6: Frequency of Vulnerability Assessment Scanning at BPD is Not In Line with\nBureau and Treasury Policy.\n\nOIG Recommendation 9: For BPD, we recommend that management: Continue follow-up efforts to\nresolve or dispose of all potential vulnerabilities identified during the recent vulnerability assessment.\n\nTreasury Response: Treasury concurs with this recommendation.\nIn the FY2010 FISMA reporting period, BPD will continue follow-up efforts to resolve all potential\nvulnerabilities identified during the assessment. This will be completed by March 31, 2010.\n\nResponsible Official: Kim McCoy, BPD, Assistant Commissioner, Office of Information Technology\n\n\n\n\nOIG Recommendation 10: For BPD, we recommend that management: Review and update internal\nBPD bureau-wide IT policies as appropriate.\n\nTreasury Response: Treasury concurs with this recommendation.\nWe are currently replacing our Information Technology Security Manual with a series of policy\ndocumentation and will rely upon the Treasury policy to define the required scanning frequency for\nsystems. This will be completed by March 31, 2010.\n\nResponsible Official: Kim McCoy, BPD, Assistant Commissioner, Office of Information Technology\n\n\n\nOIG Recommendation 11: For BPD, we recommend that management: Conduct vulnerability scans\non at least a quarterly-basis as required by TDP 85-01.\n\nTreasury Response: Treasury concurs with this recommendation.\nIn the FY2010 FISMA reporting period, BPD will conduct required vulnerability scans of the system\ninfrastructure in line with Treasury policy. This will be completed by March 31, 2010.\n\nResponsible Official: Kim McCoy, BPD, Assistant Commissioner, Office of Information Technology\n\n\n\n\n                                                     4\n\n\xc2\xa0\n\x0c                                                 \xc2\xa0\n\n\xc2\xa0\n\n\nOIG Finding 7: E-Authentication Risk Assessment Was Not Performed at FinCEN\n\nOIG Recommendation 12: For FinCEN we recommend that management: Perform an E-\nAuthentication Risk Assessment for one (1) system selected at FinCEN for the FY2009 FISMA\nEvaluation.\n\nTreasury Response: Treasury concurs with this recommendation.\nFinCEN has mitigated this finding. FinCEN has performed and documented an E-Authentication Risk\nAssessment for a system that was selected for the FY2009 FISMA Evaluation, as well as documented E-\nAuthentication Risk Assessments for all other FISMA systems. E-Authentication Risk Assessment\nupdates were completed on August 10, 2009.\n\nResponsible Official: Amy Taylor, FINCEN, Associate Director, Office of Information Technology\nand Chief Information Officer\n\n\n\n\n                                                 5\n\n\xc2\xa0\n\x0cAppendix I \xe2\x80\x93Responses to the FY 2009 OMB FISMA Reporting Questions\n\nOMB\xe2\x80\x99s FY 2009 FISMA Reporting Template for IGs includes the following questions, which are to be\naddressed by the Treasury OIG and TIGTA: 16\n\n\xe2\x80\xa2    Question 1 \xe2\x80\x93 Systems Inventory\n\xe2\x80\xa2    Question 2 \xe2\x80\x93 Certification and Accreditation, Security Controls Testing, and Contingency Plan\n     Testing\n\xe2\x80\xa2    Question 3 \xe2\x80\x93 Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System\n     Inventory\n\xe2\x80\xa2    Question 4 \xe2\x80\x93 Evaluation of Agency POA&M Process\n\xe2\x80\xa2    Question 5 \xe2\x80\x93 IG Assessment of the Certification and Accreditation Process\n\xe2\x80\xa2    Question 6 \xe2\x80\x93 IG Assessment of the Privacy Program and PIA Process\n\xe2\x80\xa2    Question 7 \xe2\x80\x93 Configuration Management\n\xe2\x80\xa2    Question 8 \xe2\x80\x93 Incident Reporting\n\xe2\x80\xa2    Question 9 \xe2\x80\x93 Security Awareness Training\n\xe2\x80\xa2    Question 10 \xe2\x80\x93 Peer-to-Peer File Sharing\n\nThe responses to OMB\xe2\x80\x99s questions have been divided into the two sections below. The first section,\nentitled \xe2\x80\x9cDetailed Description of the Responses to the FY 2009 Reporting Template for IGs,\xe2\x80\x9d includes the\nanalysis and conclusions used to complete the reporting template for the non-IRS bureau of the Treasury.\n\nThe second section contains the FY 2009 Reporting Template for IGs. The Treasury\xe2\x80\x99s responses to the\nFY 2009 FISMA Reporting Instructions for the FISMA and Agency Privacy Management contained in\nOMB Memorandum 08-21 represented the consolidation of the responses for the IRS developed by the\nTIGTA and the responses for all 12 non-IRS bureaus and offices.\n\nDetailed Description of the Responses to the FY 2009 Reporting Template for IGs 17\n\n         System Inventory/Evaluation of Agency Oversight of Contractor Systems and Quality of\n         Agency System Inventory (Questions 1 and 3)\n\n         Treasury implemented the TAF during the FY 2007 FISMA reporting period as the centralized\n         repository for all Treasury systems and FISMA-related artifacts. Since its implementation, TAF\n         has helped improve the quality of the Treasury\xe2\x80\x99s FISMA system inventory by serving as a\n         centralized repository for common FISMA artifacts across the Department. The Treasury OCIO\n         Cyber Security program has issued policy and guidance on TAF usage and provides training for\n         all new users. No discrepancies were identified with respect to the completeness or quality of the\n         FISMA systems inventory.\n\n         For the system selected in our representative subset operated by a contractor, we noted that\n         Treasury had implemented policies and oversight procedures for contractor systems. We\n         identified that contracts contain terms and conditions that stipulated agency and contractor\n         responsibilities related to FISMA. In addition, Memoranda of Understanding are in place to\n         define responsibilities of both the agency and the contractor with respect to the information\n         system security.\n\n16\n   The Treasury\xe2\x80\x99s IGs include both the Treasury OIG and TIGTA.\n17\n   Individual non-IRS bureaus and offices have been notified of the detail observations identified during\nfieldwork separately.\n\n                                                                                                  Page I-1\n\x0cCertification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n(Question 2)\n\nTreasury has followed documented policies and procedures for certification and accreditation,\nsecurity controls testing, and contingency plan testing. However, one (1) Treasury system\nselected at OTS within our representative subset of information systems is operating with an\nInterim Authority to Operate (IATO). In addition, one (1) Treasury system at OTS identified in\nthe FY 2008 FISMA Audit report was still operating with an IATO at the conclusion of the FY\n2009 FISMA Evaluation. Per NIST SP 800-37, an IATO does not represent a full system\naccreditation, nor is an IATO recognized as a system accreditation by OMB. Lastly, two (2)\nTreasury systems selected at FMS within our representative subset of information systems did\nnot have a risk assessment or complete testing of the full NIST SP 800-53 Rev. 2 security\ncontrols baseline prior to granting a full authority to operate. With the exception of the systems\nwithin this Treasury bureau\xe2\x80\x99s FISMA systems inventory, Treasury has tested the security\ncontrols and contingency plans for all systems within our representative subset of systems during\nthe FY 2009 FISMA reporting period. Refer to Finding No. 1 in the Results section of this\nreport on page 12.\n\nEvaluation of Agency POA&M Process (Question 4)\n\nRefer to Finding No. 5 in the Results section of this report on page 15.\n\nIG Assessment of the Certification and Accreditation (C&A) Process (Question 5)\n\nRefer to Finding No. 1 in the Results section of this report on page 12.\n\nIG Assessment of the Privacy Program and PIA Process (Question 6)\n\nThe Treasury Office of Privacy and Treasury records has created TD 25-07, which outlines policy\nand assigned responsibility for implementing the privacy provisions of the E-Government Act of\n2002. TD 25-07 also authorized TD P 25-07, Privacy Impact Assessment Manual. TD P 25-07\nserves as a standard set of policies and procedures for the performance of PIAs for Treasury\ninformation systems. TD P 25-07 has been consistently applied across all 12 non-IRS Treasury\nbureaus and offices. Specifically, out of the 18 non-IRS systems in our representative subset of\nTreasury systems that contain PII, each had a PIA consistent with the requirements of TD P 25-\n07. However, Treasury OPTR has yet to implement policies required by OMB Memorandum\n07-16. Refer to Finding No. 3 in the Results section of this report on page 15.\n\nConfiguration Management (Question 7)\n\nRefer to Findings No. 2 and No. 6 in the Results section of this report on page 14 and 16\nrespectively.\n\nIncident Reporting (Question 8)\n\nTreasury has established Treasury-wide computer security incident response and reporting policy\nand procedures in TD P 85-01. Treasury has also established the TCSIRC to serve as the\norganization for coordinating computer security incident response and reporting amongst all 14\nbureaus and offices of the Treasury and to serve as a single point of contact for reporting\ncomputer security incidents to US-CERT and external law enforcement. Each of the 12 non-IRS\n\n                                                                                         Page I-2\n\x0cbureaus and offices in scope has also developed a computer security incident reporting capability\nand had reported all computer security incidents internally and in a timely manner.\n\nSecurity Awareness Training (Question 9)\n\nTreasury has implemented policy in TD P 85-01 that requires each bureau CIO to ensure IT\nsecurity awareness training is provided annually to IT users (i.e., full time employees,\ncontractors, and any other individuals with system access) in accordance with applicable\nguidance. In addition, new hires and new contractors are required to attend security awareness\ntraining prior to being granted access to information systems. Lastly, all employees and\ncontractors are required to attend security awareness refresher training on an annual basis.\n\nTreasury has continued to make improvements to its security awareness training program since\nthe FY 2008 FISMA Audit. Out of a sample of 170 employees and contractors across Treasury,\nonly one (1) did not attend IT security awareness training within the FY 2009 FISMA reporting\nperiod. We noted that this deviation represented only a minimal rate of control failure, based on\nthe total sample size of 170 employees and contractors across all 12 non-IRS bureaus and offices,\nand did not represent a control weakness.\n\nPeer-to-Peer File Sharing (Question 10)\n\nTreasury has established a Treasury-wide policy in TD P 85-01 for the inclusion of peer-to-peer\nfile sharing in IT security awareness training programs. TD P 85-01 requires bureaus to approve\nthe use of all software, while use of pirated software is prohibited. In addition, bureaus must\napprove all software use. The TD P 85-01 also references the OMB Memorandum M-04-26,\nPersonal Use Policies and \xe2\x80\x9cFile-Sharing\xe2\x80\x9d Technology for additional guidance pertaining to use\nof peer-to-peer technology. In addition, all non-IRS bureaus and offices have incorporated peer-\nto-peer file sharing within their IT security awareness training programs, including the Treasury-\nwide training solution.\n\n\n\n\n                                                                                         Page I-3\n\x0cOMB FY 2009 Reporting Template for IGs\n\n Question 1: Systems Inventory \xe2\x80\x93 Identify the number of agency and contractors systems by component and FIPS 199 impact level (low, moderate, high).\n Please also identify the number of systems that are used by your agency but owned by another federal agency (i.e., ePayroll, etc.) by component and FIPS\n 199 impact level.\n\n Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing \xe2\x80\x93 Identify the number of agency and contractors\n systems by component and FIPS 199 impact level (low, moderate, high). Please also identify the number of systems that are used by your agency but owned\n by another federal agency (i.e., ePayroll, etc.) by component and FIPS 199 impact level.\n\n                                                               Question 1                                                            Question 2 18\n                                            a.                     b.                     c.                        a.                    b.                   c.\n                                      Agency Systems       Contractor Systems      Total number of          Number of systems    Number of systems     Number of systems\n                                                                                       systems                certified and       for which security       for which\n                                                                                     (Agency and               accredited         controls have been   contingency plans\n                                                                                  Contractor systems)                            tested and reviewed   have been tested in\n                                                                                                                                   in the past year     accordance with\n                                                                                                                                                             policy\n\n\n                                                                                              Total\n                 FIPS 199 System              Number                 Number        Total                     Total    Percent     Total     Percent     Total     Percent\n Bureau Name                        Number                 Number                            Number\n                 Impact Level                 Reviewed               Reviewed     Number                    Number    of Total   Number     of Total   Number     of Total\n                                                                                             Reviewed\n\n BEP             High                     0            0         0           0           0              0         0         0           0        0           0            0\n                 Moderate                32            1         2           0          34              1         1      100%           1     100%           1         100%\n                 Low                      8            0         0           0           8              0         0         0           0        0           0            0\n                 Not Categorized          0            0         0           0           0              0         0         0           0        0           0            0\n                 Subtotal                40            1         2           0          42              1         1      100%           1     100%           1         100%\n BPD             High                     2            0         0           0           2              0         0         0           0        0           0            0\n                 Moderate                11            2         0           0          11              2         2      100%           2     100%           2         100%\n                 Low                      6            0         0           0           6              0         0         0           0        0           0            0\n                 Not Categorized          0            0         0           0           0              0         0         0           0        0           0            0\n                 Subtotal                19            2         0           0          19              2         2      100%           2     100%           2         100%\n\n\n18\n  This template is based on the FISMA Reporting Instructions developed by OMB. These reporting instructions allow the agency to report on a representative subset of\nagency systems. The Totals and Percent Totals in Question 2 are calculated using the total number of systems in our representative subset of Treasury systems as the\ndenominator, as identified in \xe2\x80\x9cTotal Number Reviewed\xe2\x80\x9d column of Question 1 c. \xe2\x80\x9cTotal number of systems (Agency and Contractor systems).\n\n\n                                                                                                                                                            Page I-3\n\x0c                                                           Question 1                                                          Question 2 18\n                                       a.                      b.                   c.                        a.                    b.                   c.\n                                 Agency Systems        Contractor Systems    Total number of          Number of systems    Number of systems     Number of systems\n                                                                                 systems                certified and       for which security       for which\n                                                                               (Agency and               accredited         controls have been   contingency plans\n                                                                            Contractor systems)                            tested and reviewed   have been tested in\n                                                                                                                             in the past year     accordance with\n                                                                                                                                                       policy\n\n\n                                                                                        Total\n              FIPS 199 System            Number                  Number      Total                     Total    Percent     Total     Percent     Total     Percent\nBureau Name                     Number                 Number                          Number\n              Impact Level               Reviewed                Reviewed   Number                    Number    of Total   Number     of Total   Number     of Total\n                                                                                       Reviewed\nCDFI          High                   0             0         0          0          0              0         0         0           0        0           0            0\n              Moderate               3             1         0          0          3              1         1      100%           1     100%           1         100%\n              Low                    0             0         0          0          0              0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0          0              0         0         0           0        0           0            0\n              Subtotal               3             1         0          0         3               1         1      100%           1     100%           1         100%\nDO            High                  10             0         2          1        12               1         1      100%           1     100%           1         100%\n              Moderate              22             2         3          1        25               3         3      100%           3     100%           3         100%\n              Low                   13             0         2          0        15               0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0         0               0         0         0           0        0           0            0\n              Subtotal              45             2         7          2        52               4         4      100%           4     100%           4         100%\nFinCEN        High                   5             1         0          0         5               1         1      100%           1     100%           1         100%\n              Moderate               2             0         0          0         2               0         0         0           0        0           0            0\n              Low                    1             0         0          0         1               0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0         0               0         0         0           0        0           0            0\n              Subtotal               8             1         0          0         8               1         1      100%           1     100%           1         100%\nFMS           High                   8             2         3          1        11               3         3      100%           3     100%           3         100%\n              Moderate              29             2         2          0        31               2         2      100%           2     100%           2         100%\n              Low                    9             0         0          0         9               0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0         0               0         0         0           0        0           0            0\n              Subtotal              46             4         5          1        51            5            5      100%          5      100%           5         100%\nIRS           High                   4             0         0          0         4            0            0         0          0         0           0            0\n              Moderate             181            11         6          1       187           12           12      100%         12      100%          12         100%\n              Low                   44             0         0          0        44            0            0         0          0         0           0            0\n              Not Categorized        0             0         0          0         0            0            0         0          0         0           0            0\n\n\n\n                                                                                                                                                      Page I-4\n\x0c                                                           Question 1                                                          Question 2 18\n                                       a.                      b.                   c.                        a.                    b.                   c.\n                                 Agency Systems        Contractor Systems    Total number of          Number of systems    Number of systems     Number of systems\n                                                                                 systems                certified and       for which security       for which\n                                                                               (Agency and               accredited         controls have been   contingency plans\n                                                                            Contractor systems)                            tested and reviewed   have been tested in\n                                                                                                                             in the past year     accordance with\n                                                                                                                                                       policy\n\n\n                                                                                        Total\n              FIPS 199 System            Number                  Number      Total                     Total    Percent     Total     Percent     Total     Percent\nBureau Name                     Number                 Number                          Number\n              Impact Level               Reviewed                Reviewed   Number                    Number    of Total   Number     of Total   Number     of Total\n                                                                                       Reviewed\n              Subtotal             229            11         6          1       235           12           12      100%         12      100%          12         100%\nMint          High                   0             0         0          0         0               0         0         0           0        0           0            0\n              Moderate              15             0         1          1        16               1         1      100%           1     100%           1         100%\n              Low                    3             0         0          0         3               0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0         0               0         0         0           0        0           0            0\n              Subtotal              18             0         1          1        19               1         1      100%           1     100%           1         100%\nOCC           High                   0             0         0          0         0               0         0         0           0        0           0            0\n              Moderate              17             1         0          0        17               1         1      100%           1     100%           1         100%\n              Low                    0             0         0          0         0               0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0         0               0         0         0           0        0           0            0\n              Subtotal              17             1         0          0        17               1         1      100%           1     100%           1         100%\nOIG           High                   0             0         0          0         0               0         0         0           0        0           0            0\n              Moderate               1             0         0          0         1               0         0         0           0        0           0            0\n              Low                    0             0         0          0         0               0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0         0               0         0         0           0        0           0            0\n              Subtotal               1             0         0          0          1              0         0         0           0        0           0            0\nOTS           High                   0             0         0          0          0              0         0         0           0        0           0            0\n              Moderate               8             1         0          0          8              1         0        0%           1     100%           1         100%\n              Low                    0             0         0          0          0              0         0         0           0        0           0            0\n              Not Categorized        0             0         0          0          0              0         0         0           0        0           0            0\n              Subtotal               8             1         0          0          8              1         0        0%           1     100%           1         100%\nTIGTA         High                   0             0         0          0          0              0         0         0           0        0           0            0\n              Moderate               2             0         0          0          2              0         0         0           0        0           0            0\n              Low                    0             0         0          0          0              0         0         0           0        0           0            0\n\n\n\n                                                                                                                                                      Page I-5\n\x0c                                                             Question 1                                                          Question 2 18\n                                         a.                      b.                   c.                        a.                    b.                   c.\n                                   Agency Systems        Contractor Systems    Total number of          Number of systems    Number of systems     Number of systems\n                                                                                   systems                certified and       for which security       for which\n                                                                                 (Agency and               accredited         controls have been   contingency plans\n                                                                              Contractor systems)                            tested and reviewed   have been tested in\n                                                                                                                               in the past year     accordance with\n                                                                                                                                                         policy\n\n\n                                                                                          Total\n                FIPS 199 System            Number                  Number      Total                     Total    Percent     Total     Percent     Total     Percent\nBureau Name                       Number                 Number                          Number\n                Impact Level               Reviewed                Reviewed   Number                    Number    of Total   Number     of Total   Number     of Total\n                                                                                         Reviewed\n                Not Categorized        0             0         0          0          0              0         0         0           0        0           0            0\n                Subtotal               2             0         0          0         2               0         0         0           0        0           0            0\nTTB             High                   0             0         0          0         0               0         0         0           0        0           0            0\n                Moderate              17             1         0          0        17               1         1      100%           1     100%           1         100%\n                Low                    1             0         0          0         1               0         0         0           0        0           0            0\n                Not Categorized        0             0         0          0         0               0         0         0           0        0           0            0\n                Subtotal              18             1        0           0        18            1            1     100%           1      100%           1       100%\nAgency Totals   High                  29             3        5           2        34            5            5     100%           5      100%           5       100%\n                Moderate             340            22       14           3       354           25           24      96%          25      100%          25       100%\n                Low                   85             0        2           0        87            0            0       0%           0        0%           0         0%\n                Not Categorized        0             0        0           0         0            0            0       0%           0        0%           0         0%\n                Total                454            25       21           5       475           30           29      97%          30      100%          30       100%\n\n\n\n\n                                                                                                                                                        Page I-6\n\x0cQuestion 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory \xe2\x80\x93 The agency performs oversight and\nevaluation to ensure information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the\nrequirements of FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\nDoes the agency have policies for oversight of contractors? Yes/No                                                                   Yes\n\nIf the answer above is Yes, Is the policy implemented?                                                                               Yes\n\n                                                                                                                           (See Comment 1 Below)\nThe agency has a materially correct inventory of major information systems (including                                              Yes\nnational security systems) operated by or under the control of such agency. Yes/No\n                                                                                                      (Note: National Security Systems are reported in a separate report)\nDoes the agency maintain an inventory of interfaces between the agency systems and all other                                        Yes\nsystems, such as those not operated by or under the control of the agency? Yes/No\n\nDoes the agency require agreements for interfaces between systems it owns or operates and                                            Yes\nother systems not operated by or under the control of the agency? Yes/No\n\nThe IG generally agrees with the CIO on the number of agency-owned systems. Yes/No                                                   Yes\n\nThe agency inventory is maintained and updated at least annually. Yes/No                                                             Yes\n\nThe IG generally agrees with the CIO on the number of information systems used or operated                                           Yes\nby a contractor of the agency or other organization on behalf of the agency. Yes/No\n\nIf the IG does not indicate that the agency has a materially correct inventory, please identify any known missing major systems by Component/Bureau, the\nUnique Project Identifier (UPI) associated with the systems as presented in the FY 2009 Exhibit 300 (if known), and indicate if the system is an agency or\ncontractor system.\n\n\n                                                                                    Exhibit 300 Unique Project\n         Component/Bureau                           System Name                                                                 Agency or Contractor system?\n                                                                                         Identifier (UPI)\nNot applicable \xe2\x80\x93 the Treasury OIG and TIGTA agreed that Treasury has a materially correct inventory\n\nNumber of known systems missing\n                                         0\nfrom inventory:\n\n\n\n\n                                                                                                                                                            Page I-7\n\x0cQuestion 3: Evaluation of Agency Oversight of Contractor Systems and Quality of Agency System Inventory \xe2\x80\x93 The agency performs oversight and\nevaluation to ensure information systems used or operated by a contractor of the agency or other organization on behalf of the agency meet the\nrequirements of FISMA, OMB policy and NIST guidelines, national security policy, and agency policy.\n\n                                         Comment 1 \xe2\x80\x93 TIGTA Comment: The response to this question is based on our evaluation of the annual testing of\n                                         1 contractor system in the sample of 12 systems reviewed. The Treasury Inspector General for Tax Administration (TIGTA) is\nComments:\n                                         currently conducting an audit of the effectiveness of contractor managed systems, the results of which will be reflected in future\n                                         FISMA evaluation results.\n\n\nQuestion 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process \xe2\x80\x93 Assess whether the agency has developed, implemented, and is\nmanaging an agency-wide plan of action and milestones (POA&M) process, providing explanatory detail in the area provided.\n\nHas the Agency developed and documented an adequate policy that establishes a POA&M\nprocess for reporting IT security deficiencies and tracking the status of remediation efforts?\n                                                                                                                                       Yes\nYes/No\n\nHas the Agency fully implemented the policy? Yes/No\n                                                                                                                                       Yes\n\nIs the Agency currently managing and operating a POA&M process?                                                                    Yes\n                                                                                                                 (See Overall Comment - Treasury OIG Below)\nIs the agency\'s POA&M process an agency-wide process, incorporating all known IT security\nweakness, including IG/external audit findings associated with information systems used or\noperated by the agency or by a contractor of the agency or other organization on behalf of the                                         Yes\nagency? Yes/No\n\nDoes the POA&M process prioritize IT security weakness to help ensure significant IT\nsecurity weaknesses are corrected in a timely manner and receive appropriate resources?\n                                                                                                                                       Yes\nYes/No\n\nWhen an IT security weakness is identified, do program officials (including CIOs, if they own\nor operate a system) develop, implement, and manage POA&Ms for their system(s)? Yes/No                                                 Yes\n\n\nFor Systems Reviewed:                            a. Are deficiencies tracked and remediated in\n                                                                                                                                       Yes\n                                                 a timely manner? Yes/No\n\n\n\n                                                                                                                                                              Page I-8\n\x0cQuestion 4: Evaluation of Agency Plan of Action and Milestones (POA&M) Process \xe2\x80\x93 Assess whether the agency has developed, implemented, and is\nmanaging an agency-wide plan of action and milestones (POA&M) process, providing explanatory detail in the area provided.\n\n\n                                               b. Are the remediation plans effective for\n                                               correcting the security weakness? Yes/No                                     Yes\n\n                                               c. Are the estimated dates for remediation\n                                               reasonable and adhered to? Yes/No                                            Yes\n\nDo Program officials and contractors report their progress on security weakness remediation\nto the CIO on a regular basis (at least quarterly)? Yes/No                                                                  Yes\n\nDoes the Agency CIO centrally track, maintain, and independently review/validate POA&M\nactivities on at least a quarterly basis? Yes/No                                                                            Yes\n\n                    Overall Comment - Treasury OIG: While there were no findings reported in the POA&M process at 11 of the 12 non-IRS bureau of the Treasury,\nPOA&M process       it was noted that FMS did not consistently update POA&M weakness estimated completion dates for a subset of the POA&M weaknesses sampled.\n  comments:         While this discrepancy was identified and reported to management, overall all 12 non-IRS bureaus and offices have generally developed,\n                    implemented, and are managing a POA&M process. (See Finding Number 5 on page 15 in the body of this report)\n\n\n\n\n                                                                                                                                                 Page I-9\n\x0cQuestion 5: IG Assessment of the Certification and Accreditation Process \xe2\x80\x93 Provide a qualitative assessment of the agency\'s certification and\naccreditation process, including adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, Guide for\nthe Security Certification and Accreditation of Federal Information Systems (May 2004) for certification and accreditation work initiated after May 2004.\nThis includes use of the FIPS 199 (February 2004), Standards for Security Categorization of Federal Information and Information Systems, to determine a\nsystem impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans. Provide explanatory detail\nin the area provided.\n\nHas the Agency developed and documented an adequate policy for establishing a certification and accreditation process that follows the\nNIST framework? Yes/No                                                                                                                                       Yes\n\n                                                                                                                                                            Yes\nIs the Agency currently managing and operating a C&A process in compliance with its policies? Yes/No\n                                                                                                                                                      (See Comment 2\n                                                                                                                                                          Below)\n                                                                                                                 Appropriate risk categories\n                                                                                                                                                             Yes\n                                                                                                                 Adequate risk assessments\n                                                                                                                                                             Yes\n                                                                                                                 Selection of appropriate\n                                                                                                                 controls                                    Yes\nFor systems reviewed, does the C&A process adequately provide:(Yes/No)\n                                                                                                                                                            No\n                                                                                                                 Adequate testing of controls\n                                                                                                                                                      (See Comment 3\n                                                                                                                                                          Below)\n                                                                                                                 Regular monitoring of\n                                                                                                                 system risks and the\n                                                                                                                                                             Yes\n                                                                                                                 adequacy of controls\n\nFor systems reviewed, is the Authorizing Official presented with complete and reliable C&A information to facilitate an informed\n                                                                                                                                                             Yes\nsystem Authorization to Operate decision based on risks and controls implemented? Yes/No\n\n                     Comment 2 - Treasury OIG: We identified that Treasury has generally managed and operated a certification and accreditation process in\n                     compliance with its policies. However, deviations were identified at FMS and OTS. Specifically, NIST FIPS 199 security control baselines were\n                     not adequately tested for two (2) systems at FMS and not fully implemented over two (2) systems at OTS. (See Finding Number 1 on page 12 in\n  C&A process        the body of this report)\n   comments:\n                     Comment 3 - TIGTA: Controls were not adequately tested for 3 of the 12 sampled systems reviewed. For each of the three systems, controls were\n                     selected and tested during 2009 for continuous monitoring of security. However, tests of the operational and technical controls for the three systems\n                     were not sufficient to determine if the controls were in place and operating as intended. Specifically, 11 (31 percent) of 35 operational controls and\n\n\n\n                                                                                                                                                            Page I-10\n\x0cQuestion 5: IG Assessment of the Certification and Accreditation Process \xe2\x80\x93 Provide a qualitative assessment of the agency\'s certification and\naccreditation process, including adherence to existing policy, guidance, and standards. Agencies shall follow NIST Special Publication 800-37, Guide for\nthe Security Certification and Accreditation of Federal Information Systems (May 2004) for certification and accreditation work initiated after May 2004.\nThis includes use of the FIPS 199 (February 2004), Standards for Security Categorization of Federal Information and Information Systems, to determine a\nsystem impact level, as well as associated NIST documents used as guidance for completing risk assessments and security plans. Provide explanatory detail\nin the area provided.\n\n                    15 (27 percent) of 56 technical controls selected for the 3 systems, collectively, were not adequately tested. The tests were limited to examining\n                    certification and accreditation documentation or conducting interviews without examining system evidence. For example, configuration change\n                    control is an operational control that ensures changes to the information system are authorized, documented, and controlled. For one of the systems,\n                    the IRS evaluated this control by examining the test results from the system\xe2\x80\x99s last certification and accreditation in 2007. For another system, the\n                    IRS evaluated the control by referring to a description of the control in the system\xe2\x80\x99s System Security Plan. In both examples, the IRS did not\n                    actually test the control.\n\n\n\n\nQuestions 6 : IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process \xe2\x80\x93 Provide a qualitative assessment of the\nagency\'s process, as discussed in Section D, for protecting privacy-related information, including adherence to existing policy, guidance and standards.\nProvide explanatory information in the area provided.\n\nHas the Agency developed and documented adequate policies that comply with OMB guidance in M-07-16, M-06-15, and M-06-16 for                              No\nsafeguarding privacy-related information? Yes/No\n                                                                                                                                                   (See Comment 3\n                                                                                                                                                       Below)\nIs the Agency currently managing and operating a privacy program with appropriate controls in compliance with its policies? Yes/No                       No\n\n                                                                                                                                                   (See Comment 3\n                                                                                                                                                       Below)\nHas the Agency developed and documented an adequate policy for Privacy Impact Assessments? Yes/No/NA\n                                                                                                                                                         Yes\nHas the Agency fully implemented the policy and is the Agency currently managing and operating a process for performing adequate\nprivacy impact assessments? Yes/No/NA                                                                                                                    Yes\n\n\n\n\n                                                                                                                                                          Page I-11\n\x0cQuestions 6 : IG Assessment of Agency Privacy Program and Privacy Impact Assessment (PIA) Process \xe2\x80\x93 Provide a qualitative assessment of the\nagency\'s process, as discussed in Section D, for protecting privacy-related information, including adherence to existing policy, guidance and standards.\nProvide explanatory information in the area provided.\n\n                     Comment 3 \xe2\x80\x93 Treasury OIG: While the TIGTA has reported \xe2\x80\x9cYes\xe2\x80\x9d to these questions with respect to the IRS, the Treasury Office of Privacy and\n                     Treasury Records have yet to finalize Treasury-wide policy for safeguarding privacy-related information, as required by OMB Memorandum 07-\nComments:            016. (See Finding Number 4 on page 15 in the body of this report)\n\n\n\nQuestion 7: Configuration Management\nIs there an agency-wide security configuration policy? Yes or No.                                                                                  Yes\n\nFor each OS/platform/system for which your Agency has a configuration policy, please indicate the status of implementation for that          See Comment 4\npolicy?                                                                                                                                          Below\n\n\nAgency has documented deviations from FDCC standard configuration. Yes/No                                                                          Yes\n\n                                                                                                                                                    No\nNew Federal Acquisition Regulation 2007-004 language, which modified "Part 39\xe2\x80\x94Acquisition of Information Technology", is included\nin all contracts related to common security settings. Yes/No.                                                                                (See Comment 5\n                                                                                                                                                 Below)\nComments:            Comment 4 - Treasury OIG: The following table includes the consolidated Treasury OIG and TIGTA results for all 14 Treasury bureaus and\n                     offices:\n\n                      OS/Platform/System           Implementation Status       Monitoring Compliance (if Policy fully implemented)\n                                                                               Tool/Technique/Technology                     Category\n                      Microsoft Windows NT 4.0     Policy Fully Implemented    Windows Policy Checker                        Configuration Scanner\n                      Microsoft Windows 2000       Policy Fully Implemented    Windows Policy Checker                        Configuration Scanner\n                      Professional\n                      Microsoft Windows Server     Policy Fully Implemented    McAfee Foundstone                                Vulnerability Scanner\n                      2000                                                     Tenable Security Nessus                          Vulnerability Scanner\n                                                                               Microsoft Baseline Security Analyzer             Configuration Scanner\n                                                                               Qualysis                                         Vulnerability Scanner\n                                                                               System Center Configuration Manager/System       Other \xe2\x80\x93 Patch Management\n                                                                               Management Service\n\n\n\n                                                                                                                                                   Page I-12\n\x0cQuestion 7: Configuration Management\n                                                                        Windows Policy Checker                       Configuration Scanner\n                  Microsoft Windows Server   Policy Fully Implemented   McAfee Foundstone                            Vulnerability Scanner\n                  2003                                                  Tenable Security Nessus                      Vulnerability Scanner\n                                                                        Microsoft Baseline Security Analyzer         Configuration Scanner\n                                                                        Qualysis                                     Vulnerability Scanner\n                                                                        System Center Configuration Manager/System   Other \xe2\x80\x93 Patch Management\n                                                                        Management Service\n                                                                        Windows Policy Checker                       Configuration Scanner\n                  Microsoft Windows XP       Policy Fully Implemented   ThreatGuard Secutor Prime                    Configuration Scanner\n                                                                        ThreatGuard Secutor Magnus                   Configuration Scanner\n                                                                        Tenable Security Nessus                      Configuration Scanner\n                                                                        Secure Fusion                                Configuration Scanner\n                                                                        GFI LANguard                                 Vulnerability Scanner\n                                                                        System Center Configuration Manager/System   Other \xe2\x80\x93 Patch Management\n                                                                        Management Service\n                                                                        Windows Policy Checker                       Configuration Scanner\n                                                                        Security Compliance Checker                  Configuration Scanner\n                  Sun Solaris                Policy Fully Implemented   McAfee Foundstone                            Vulnerability Scanner\n                                                                        Tenable Security Nessus                      Vulnerability Scanner\n                                                                        Qualysis                                     Vulnerability Scanner\n                                                                        Unix Policy Checker                          Configuration Scanner\n                  IBM AIX                    Policy Fully Implemented   McAfee Foundstone                            Vulnerability Scanner\n                                                                        Tenable Security Nessus                      Vulnerability Scanner\n                                                                        Qualysis                                     Vulnerability Scanner\n                                                                        Checklist                                    Other\n                  HP-UX                      Policy Fully Implemented   McAfee Foundstone                            Vulnerability Scanner\n                                                                        Tenable Security Nessus                      Vulnerability Scanner\n                                                                        Qualysis                                     Vulnerability Scanner\n                                                                        Unix Policy Checker                          Configuration Scanner\n                  Red Hat Linux              Policy Fully Implemented   McAfee Foundstone                            Vulnerability Scanner\n                                                                        Tenable Security Nessus                      Vulnerability Scanner\n                                                                        Qualysis                                     Vulnerability Scanner\n                                                                        Checklist                                    Other\n                  IBM OS390                  Policy Fully Implemented   Mainframe Policy Checker                        Configuration Scanner\n                  Microsoft SQL Server       Policy Fully Implemented   AppDetective                                 Configuration Scanner\n\n\n\n                                                                                                                                        Page I-13\n\x0c          Question 7: Configuration Management\n                                 2000                                                       Checklist                                          Other\n                                 Microsoft SQL Server         Policy Fully Implemented      Checklist                                          Other\n                                 2005\n                                 IBM DB2                      Policy Fully Implemented      AppDetective                                  Configuration Scanner\n                                                                                            Checklist                                     Other\n                                Oracle Database 8i             Policy Fully Implemented     AppDetective                                  Configuration Scanner\n                                                                                            Checklist                                     Other\n                                Oracle Database 9i             Policy Fully Implemented     Checklist                                     Other\n                                Oracle Database 10g            Policy Fully Implemented     Checklist                                     Other\n                                Cisco IOS                      Policy Fully Implemented     OPNETDoctor                                   Configuration Scanner\n                                Other                          Policy Fully Implemented     Other \xe2\x80\x93 Enterasys Dragon                      Intrusion Detection and\n                                                                                                                                          Prevention Systems\n                                                                                             Other - Snort                                Intrusion Detection and\n                                                                                                                                          Prevention Systems\n                                                                                             Other \xe2\x80\x93 IBM zOS Manual Technique             Configuration Scanner\n                               Note: While this table contains the combined results of the Treasury OIG and TIGTA FISMA evaluations, we have also maintained the separate\n                               TIGTA specific comment below.\n\n                                Comment 4 - TIGTA: The IRS uses the following tools and techniques for monitoring compliance with configuration policy:\n                                \xe2\x80\xa2  Windows Policy Checker for Windows XP, Windows NT, Windows 2000 Professional, Windows 2000 Server, and Windows 2003 Server\n                                \xe2\x80\xa2  Security Compliance Checker for Windows XP\n                                \xe2\x80\xa2  UNIX Policy Checker for UNIX, Solaris, and HP-UX\n                                \xe2\x80\xa2  Mainframe Policy Checker for Mainframes\n                                \xe2\x80\xa2  OPNET Doctor for Cisco Router and Switches\n                                \xe2\x80\xa2  Checklists for Linux, Oracle, SQL, DB2, and AIX\n\n                               Comment 5 \xe2\x80\x93 Treasury OIG/TIGTA: While the Treasury OIG reported \xe2\x80\x9cYes\xe2\x80\x9d for this question for the 12 non-IRS Treasury bureaus, TIGTA\n                               reported \xe2\x80\x9cNo\xe2\x80\x9d. Specifically, in March 2009, TIGTA issued a report 19 in which they identified that 27 of 30 contracts for new software products\n                               that reviewed did not include the required FDCC contract language. The IRS has not yet implemented policy that would require the inclusion of\n                               the FDCC language in contracts for new software products. The IRS responded to the report that it planned to issue an agency-wide policy that\n                               will incorporate the FDCC contract language in information technology acquisitions.\n\n\n\n\nBeen Slow in Implementing Federal Security Configurations on Employee Computers (Reference Number 2009-20-055, dated March 27, 2009).\n\n\n                                                                                                                                                                   Page I-14\n\x0c Question 8: Incident Reporting\n                                                                                                                                                         90-100%\n How often does the Agency comply documented policies and procedures for identifying and reporting incidents internally? Answer will\n be a percentage range\n                                                                                                                                                     (See Comment 6\n                                                                                                                                                         Below)\n                                                                                                                                                        90-100%\n How often does the Agency comply with documented policies and procedures for timely reporting of incidents to US CERT? Answer\n will be a percentage range\n                                                                                                                                                     (See Comment 7\n                                                                                                                                                         Below)\n                                                                                                                                                        90-100%\n How often does the Agency comply documented policy and procedures for reporting to law enforcements? Answer will be a percentage\n range\n                                                                                                                                                (See Comment 8\n                                                                                                                                                     Below)\n Comments:            General Comment - Treasury OIG: No significant discrepancies in incident reporting were identified at the 12 non-IRS bureau of the Treasury.\n\n                      Comment 6 \xe2\x80\x93 TIGTA: This percentage rate is based on an August 2009 TIGTA audit report 20 which showed that IRS employees reported 96\n                      percent of all incidents involving the loss of information technology assets to the IRS Computer Security Incident Response Center, whose mission\n                      is to be proactive in preventing, detecting, and responding to computer security incidents targeting IRS enterprise information technology assets..\n\n                      Comment 7 \xe2\x80\x93 TIGTA: Not applicable. The IRS does not report incidents directly to US-CERT. The IRS reports incidents to the Department of\n                      the Treasury. The Department of the Treasury serves as the central point for reporting Treasury bureau incidents to the US-CERT.\n\n                      Comment 8 \xe2\x80\x93 TIGTA: 90 percent\xe2\x80\x93 100 percent. This percentage rate is based on an August 2009 TIGTA audit report that showed that the IRS\n                      reported 96 percent of all incidents involving the loss of information technology assets to the TIGTA Office of Investigations, the law enforcement\n                      agency for the IRS.\n\n\n\n\n Question 9: Security Awareness Training \xe2\x80\x93 Has the agency ensured IT security awareness training of all users with log in privileges, including\n contractors and those employees with significant IT security responsibilities? Provide explanatory detail in the space provided.\n\n Has the Agency developed and documented an adequate policy for identifying all general users,                                            Yes\n contractors, and system owners/employees who have log in privileges, and providing them with\n\n20\n  Significant Improvements Have Been Made to Protect Sensitive Data on Laptop Computers and Other Portable Electronic Media Devices (Reference Number 2009-\n20-120, dated August 31, 2009).\n\n\n                                                                                                                                                            Page I-15\n\x0cQuestion 9: Security Awareness Training \xe2\x80\x93 Has the agency ensured IT security awareness training of all users with log in privileges, including\ncontractors and those employees with significant IT security responsibilities? Provide explanatory detail in the space provided.\n\nsuitable IT security awareness training? Yes/No/NA                                                                            (See Comment 9 Below)\n\nTotal number of people with log in privileges to agency systems\n                                                                                                                                     104, 231\nNumber of people with log in privileges to agency systems that received information security\n                                                                                                                                      124,773\nawareness training during the past fiscal year, as described in NIST Special Publication 800-50,\n"Building an Information Technology Security Awareness and Training Program" (October 2003).\n                                                                                                                             (See Comment 10 Below)\nTotal number of employees with significant information security responsibilities.\n                                                                                                                                       7,778\nNumber of employees with significant security responsibilities that received specialized training, as\ndescribed in NIST Special Publication 800-16, \xe2\x80\x9cInformation Technology Security Training\n                                                                                                                                       7,633\nRequirements: A Role- and Performance-Based Model\xe2\x80\x9d (April 1998)\n\n                      General Comment - Treasury OIG: Our conclusions in Question 9 are based on totals provided by the Treasury OCIO and verified by test\n                      work over a samples of employees and contractors at each of the 12 non-IRS bureaus and offices of the Treasury to determine if individuals with\n                      log in privileges to agency systems received information security awareness training during the past fiscal year and to determine if employees\n                      with significant security responsibilities received specialized training.\n    Comments:\n                      Comment 9 \xe2\x80\x93 TIGTA: The IRS identifies all employees and contractors including those with log in privileges as well as those without system\n                      access.\n\n                      Comment 10 - TIGTA: 107,568 people received information security awareness training. This included individuals with log in privileges as\n                      well as those without system access.\n\n\n\nQuestion 10: Peer-to-Peer File Sharing\n\nDoes the agency explain policies regarding the use of peer-to-peer file sharing in IT security awareness\n                                                                                                                                        Yes\ntraining, ethics training, or any other agency-wide training? Yes/No.\n\n\n\n\n                                                                                                                                                          Page I-16\n\x0cAppendix II \xe2\x80\x93 Approach to the Selection of the Subset of Systems\n\nIn FY 2009, we employed a risk-based approach to determine the representative subset of Treasury\ninformation systems for the FISMA evaluation. The universe for this representative subset will only\ninclude major applications and general support systems.\n\nWe used a total subset size of 15% of the total population of Treasury major applications and general\nsupport systems. We then applied the weighting of IRS systems to non-IRS bureau systems to the total\nsubset size in order to determine the IRS and non-IRS bureau subset sizes. We determined that, as of\nApril 2, 2009, 60% of the population of Treasury information systems are non-IRS major applications and\ngeneral support systems. We also determined that 40% of the population of Treasury information system\nwere IRS major applications and general support systems. Based on our analysis, we noted 203 major\napplications and general support systems are contained within the Treasury-wide inventory. The\nfollowing table provides our analysis of the composition of the Treasury\xe2\x80\x99s inventory of major applications\nand general support systems.\n\n                              Total      IRS       non-IRS      non-IRS Financial Systems\nMajor Applications             148        59         89                    43\nGeneral Support Systems         55        23          32                    4\nTotal                          203        82         121                   47\n\nApplying the subset size percentage of 15% to the total population of 203 yields a total subset size of 30\nsystems. When the IRS to non-IRS weighting is applied to this total subset size, the resulting sizes for the\nIRS and non-IRS subsets are 12 and 18, respectively.\n\nWe determined that Major Applications account for 74% of the population of the non-IRS population and\nGeneral Support Systems account for 26%. We further determined that systems designated as \xe2\x80\x9cFinancial\xe2\x80\x9d\nin TAF account for 39% of all non-IRS Major Applications and General Support Systems. Lastly, we\ndetermined that 26% of the non-IRS Major Applications and General Support Systems are assigned a\nFIPS 199 System Impact Level of \xe2\x80\x9cHigh,\xe2\x80\x9d while 66% are assigned a FIPS 199 System Impact Level of\n\xe2\x80\x9cModerate\xe2\x80\x9d and 7% are assigned a FIPS 199 System Impact Level of \xe2\x80\x9cLow.\xe2\x80\x9d (Note: Based on their lower\nrisk, we elected not to select any systems with a FIPS 199 System Impact Level of \xe2\x80\x9cLow.\xe2\x80\x9d Rather, we\nsubstituted these systems for a system with a FIPS 199 System Impact Level of \xe2\x80\x9cModerate.\xe2\x80\x9d)\n\nTo select the subset, we stratified the full population of Treasury major applications and general support\nsystems by bureau and by FIPS 199 system impact level.\n\n     Total Selected                                                                    18\n     Total Major Applications                                                          14\n     Total General Support Systems                                                      4\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cHigh\xe2\x80\x9d                        5\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cModerate\xe2\x80\x9d                   13\n     Total Systems with a FIPS 199 System Impact Level of \xe2\x80\x9cLow\xe2\x80\x9d                         0\n     Total Systems Designated as Financial                                              7\n\nWe further stratified the number of information system by each bureau to determine the total percentage\nof information systems at each non-IRS bureau, based on the total population of all non-IRS information\nsystem. This information was used as a baseline when determining the total number of systems to select\nat each bureau:\n\n\n                                                                                                  Page II-1\n\x0c            Bureau         Total Systems       Percentage of       Total Number of\n                                               Total non-IRS       non-IRS Systems\n                                                Population          to be Selected\n         BEP                            8                   7%                      1\n         BPD                           13                  11%                      2\n         CDFI Fund                      3                   2%                      1\n         DO                            27                  22%                      4\n         FinCEN                         5                   4%                      1\n         FMS                           33                  27%                      5\n         Mint                          10                   8%                      2\n         OCC                            8                   8%                      1\n         OIG                            1                   1%                      0\n         OTS                            8                   7%                      1\n         TIGTA                          2                   1%                      0\n         TTB                            3                   2%                      1\n         Total                        121                 100%                     18\n\nWe then used a risk-based approach to selecting systems out of each stratum. We considered the\nfollowing factors to select each system:\n\n\xe2\x80\xa2   Total number of systems per bureau\n\xe2\x80\xa2   Systems at smaller bureaus not historically included in FISMA audits or evaluations\n\xe2\x80\xa2   Number of systems at each bureau with a FIPS system impact level of \xe2\x80\x9cHigh\xe2\x80\x9d\n\xe2\x80\xa2   Date of the system\xe2\x80\x99s Authority to Operate\n\xe2\x80\xa2   Number of open issues per system\n\xe2\x80\xa2   Number of issues recently closed per system\n\xe2\x80\xa2   Number of issues identified in previous FISMA audits, FISMA evaluations, and other recent OIG\n    reviews\n\xe2\x80\xa2   Availability of the system via the Internet.\n\nFrom our representative subset of 18 non-IRS Treasury systems, we also selected five (5) to perform in-\ndepth testing over specific controls selected from the NIST SP 800-53 Rev. 2 minimum security control\nbaseline. We selected five (5) major applications with a NIST FIPS 199 system impact level of Moderate.\nWe selected one system each from the five (5) non-IRS Treasury bureaus with the highest concentration\nof systems or had prior year findings in the implementation of the NIST SP 800-53 Rev. 2 minimum\nsecurity control baseline.\n\n\n\n\n                                                                                              Page II-2\n\x0cAppendix III \xe2\x80\x93 Acronym Listing\nAcronym   Definition                                         Acronym   Definition\n          Associate Chief Information Officer for Cyber      OCC       Office of the Comptroller of Currency\nACIOCS\n          Security\nBEP       Bureau of Engraving and Printing                   OCIO      Office of the Chief Information Officer\nBPD       Bureau of the Public Debt                          OMB       Office of Management and Budget\nCDFI      Community Development Financial Institution        OPTR      Office of Privacy and Treasury Records\nCIO       Chief Information Officer                          OIG       Office of the Inspector General\nCIP       Critical Infrastructure Protection                 OTS       Office of Thrift Supervision\nCPO       Chief Privacy Officer                              PIA       Privacy Impact Assessment\nCSS       Cyber Security Sub-Council                         PII       Personally Identifiable Information\nDO        Departmental Offices                               POA&M     Plan of Action and Milestones\nFDCC      Federal Desktop Core Configuration                 Rev       Revision\nFinCEN    Financial Crimes Enforcement Network               SAOP      Senior Agency Official for Privacy\nFIPS      Federal Information Processing Standards           SCAP      Security Content Automation Protocol\nFISMA     Federal Information Security Management Act        SIGTARP   Special Inspector General for the Troubled Asset\n                                                                       Relief Program\nFMS       Financial Management Service                       SP        Special Publication\nFY        Fiscal Year                                        TAF       Trusted Agent FISMA\nGAGAS     Generally Accepted Government Auditing Standards   TCSIRC    Treasury Computer Security Incident Response\n                                                                       Capability\nIATO      Interim Authority to Operate                       TD        Treasury Directive\nIG        Inspector General                                  TD P      Treasury Directive Publication\nIRS       Internal Revenue Service                           TIGTA     Treasury Inspector General for Tax Administration\nIT        Information Technology                             TTB       Alcohol and Tobacco Tax and Trade Bureau\nMint      United States Mint                                 US-CERT   United States Computer Emergency Readiness\n                                                                       Team\nNIST      National Institute of Standards and Technology\n\n\n\n\n                                                                                                        Page III-1\n\x0c            ATTACHMENT 2\n\n    Treasury Inspector General for Tax\n Administration\xe2\x80\x93Federal Information Security\nManagement Act Report for Fiscal Year 2009,\n              October 27, 2009\n\x0c                                         D E P A R T M E N T O F T H E T R E AS U R Y\n                                                 WASHINGTON, D.C. 20220\n\n\n\nINSPECTOR GENERAL\n      for TAX\n  ADMINISTRATION\n\n\n\n                                                     October 27, 2009\n\n\n       MEMORANDUM FOR ASSISTANT INSPECTOR GENERAL FOR AUDIT\n                      OFFICE OF THE TREASURY INSPECTOR GENERAL\n\n       FROM:                         Michael R. Phillips\n                                     Deputy Inspector General for Audit\n\n       SUBJECT:                      Treasury Inspector General for Tax Administration \xe2\x80\x93\n                                     Federal Information Security Management Act Report for\n                                     Fiscal Year 2009 (Audit # 200920010)\n\n       We are pleased to submit the Treasury Inspector General for Tax Administration\xe2\x80\x99s Federal\n       Information Security Management Act (FISMA) 1 report for Fiscal Year 2009. The FISMA\n       requires the Office of Inspector General to perform an annual independent evaluation of\n       information security policies, procedures, and practices, as well as evaluate compliance with\n       FISMA requirements. This report reflects our independent evaluation of the Internal Revenue\n       Service\xe2\x80\x99s (IRS) information technology security program for the period under review.\n       We based our evaluation on the Office of Management and Budget (OMB) FISMA 2009\n       Reporting Guidelines. During the 2009 evaluation period, 2 we conducted eight audits, as shown\n       in Attachment I, to evaluate the adequacy of information security in the IRS. We considered the\n       results of these audits in our evaluation. In addition, we evaluated a representative sample of\n       12 major IRS information systems for our FISMA work. For each system in the sample, we\n       assessed the quality of the certification and accreditation process, the annual testing of controls\n       for continuous monitoring, testing of information technology contingency plans, and the quality\n       of the Plan of Action and Milestones process. We also conducted tests to evaluate processes\n       over inventory accuracy, configuration management, incident reporting, security awareness and\n       specialized security training, and the information privacy program.\n       Included in Attachment II are our responses to the OMB Fiscal Year 2009 FISMA questions for\n       the Inspector General. We are confident that the IRS has:\n            \xe2\x80\xa2   Established a materially correct inventory.\n            \xe2\x80\xa2   Implemented a certification and accreditation process that follows the National Institute\n                for Standards and Technology (NIST) framework.\n\n       1\n        44 U.S.C. \xc2\xa7\xc2\xa7 3541 - 3549.\n       2\n        The FISMA evaluation period for the Department of the Treasury is July 1, 2008, through June 30, 2009. All\n       subsequent references to 2009 refer to the FISMA evaluation period.\n\x0c                                                      2\n\n    \xe2\x80\xa2   Sufficiently tested its information technology contingency plans.\n    \xe2\x80\xa2   Implemented an adequate Plan of Action and Milestones process to ensure that security\n        weaknesses are remediated.\n    \xe2\x80\xa2   Followed policies and procedures for reporting computer security incidents.\n    \xe2\x80\xa2   Provided employees security awareness and specialized security training.\n    \xe2\x80\xa2   Implemented adequate policies to protect privacy-related information.\nSince the enactment of the FISMA in Calendar Year 2002, overall, the IRS has made steady\nprogress in complying with FISMA requirements. In addition, the IRS continues to place a high\npriority on efforts to improve its security program. We observed significant improvements in\ninformation technology contingency plan testing and additional improvements in annual security\ncontrols testing, two security areas we identified as needing improvement in our 2008 FISMA\nevaluation. 3 However, based on our 2009 evaluation, we believe the IRS still needs to take\nadditional actions in the areas of certification and accreditation, and configuration management\nto better secure its systems and data.\nCertification and Accreditation Process The OMB guidelines for minimum security controls\nin Federal Government information systems require that all systems be certified and accredited\nevery 3 years, or when major system changes occur. The NIST provides guidelines for\nconducting the system certifications and accreditations. Five of the 12 systems in our sample\nwere certified and accredited in 2009. We evaluated the quality of the certification and\naccreditation process for these five systems and determined that all of them were properly\ncertified and accredited in accordance with NIST guidelines.\nThe OMB also requires that system security controls be tested for every system at least annually.\nIn years when a system will not be certified and accredited, a subset of security controls must be\ntested. The NIST provides guidelines for annual testing of security controls. We reviewed the\nadequacy of annual testing of security controls for 7 of the 12 systems in our sample that were\nnot certified and accredited in 2009. We found that an appropriate subset of management,\noperational, and technical controls was selected, documented, and approved for each of the seven\nsystems. However, tests of the operational and technical controls for three of the seven systems\nwere not sufficient to determine if the controls were in place and operating as intended.\nSpecifically, 11 (31 percent) of 35 operational controls and 15 (27 percent) of 56 technical\ncontrols selected for the 3 systems, collectively, were not adequately tested. The tests were\nlimited to examining certification and accreditation documentation or conducting interviews\nwithout examining system evidence. For example, configuration change control is an\noperational control that ensures changes to the information system are authorized, documented,\nand controlled. For one of the systems, the IRS evaluated this control by examining the test\nresults from the system\xe2\x80\x99s last certification and accreditation in 2007. For another system, the\nIRS evaluated the control by referring to a description of the control in the system\xe2\x80\x99s System\n\n\n3\n Treasury Inspector General for Tax Administration \xe2\x80\x93 Federal Information Security Management Act Report for\nFiscal Year 2008 (Reference Number 2008-20-173, dated September 10, 2008).\n\x0c                                                     3\n\nSecurity Plan. In both examples, the IRS did not actually test the control. As a result, these tests\nwere insufficient to determine whether the security controls were operating as intended.\nConfiguration Management The OMB required Federal Government agencies that use the\nWindows XP or VISTA operating systems to adopt a standard set of configuration settings by\nFebruary 1, 2008. These configuration settings are referred to as the Federal Desktop Core\nConfiguration (FDCC). The IRS has made significant progress in implementing FDCC standard\nsettings. As of the end of the 2009 evaluation period, the IRS had implemented or had\ndeviations approved by the Department of the Treasury for 265 (94 percent) of 282 FDCC\nsettings. The IRS continues to test the remaining FDCC configurations and has a plan in place to\nreach full implementation by February 2010. The IRS has not, however, modified its software\ncontracts to ensure purchased software will operate properly with the FDCC settings. In\nMarch 2009, we issued a report 4 in which we identified that 27 of 30 software contracts that we\nexamined did not include the required FDCC contract language. The IRS has not yet developed\na policy that would require the inclusion of the FDCC language in contracts for new software\nproducts. The IRS responded to the report that it planned to issue an agency-wide policy that\nwill incorporate the FDCC contract language in information technology acquisitions.\nPlease contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant\nInspector General for Audit (Security and Information Technology Services), at (202) 622-8510.\n\n\nAttachments\n\n\n\n\n4\n Progress Has Been Slow in Implementing Federal Security Configurations on Employee Computers (Reference\nNumber 2009-20-055, dated March 27, 2009).\n\x0c                                                                         Attachment I\n\nTreasury Inspector General for Tax Administration\n Information Technology Security Reports Issued\n        During the 2009 Evaluation Period\n\n1. The Office of Research, Analysis, and Statistics Needs to Address Computer Security\n   Weaknesses (Reference Number 2008-20-176, dated September 17, 2008).\n2. Weaknesses in Business Resumption Plans Could Delay Recovery From a Disaster\n   (Reference Number 2008-20-178, dated September 17, 2008).\n3. The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems\n   With Known Security Vulnerabilities (Reference Number 2008-20-163, dated\n   September 24, 2008).\n4. The Internal Revenue Service Deployed the Modernized e-File System With Known\n   Security Vulnerabilities (Reference Number 2009-20-026, dated December 30, 2008).\n5. Better Emergency Preparedness Planning Could Improve Business Continuity Efforts\n   (Reference Number 2009-20-038, dated February 13, 2009).\n6. While Controls Have Been Implemented to Address Malware, Continued Attention Is\n   Needed to Address This Growing Threat (Reference Number 2009-20-045, dated\n   March 10, 2009).\n7. Progress Has Been Slow in Implementing Federal Security Configurations on Employee\n   Computers (Reference Number 2009-20-055, dated March 27, 2009).\n8. The Homeland Security Presidential Directive 12 Program Office Has Addressed Prior\n   Weaknesses, but Progress Is Slower Than What Has Been Reported (Reference\n   Number 2009-20-084, dated June 25, 2009).\n\n\n\n\n                                                                                   Page 1\n\x0c                                                                                                  Attachment II\n\n   Treasury Inspector General for Tax Administration\n   Responses to the 2009 Office of Management and\n   Budget Federal Information Security Management\n           Act Inspector General Questions\n\nQuestion\xc2\xa01:\xc2\xa0System\xc2\xa0Inventory\xc2\xa0\nIdentify\xc2\xa0the\xc2\xa0number\xc2\xa0of\xc2\xa0agency\xc2\xa0and\xc2\xa0contractor\xc2\xa0systems\xc2\xa0by\xc2\xa0component\xc2\xa0and\xc2\xa0Federal\xc2\xa0Information\xc2\xa0\nProcessing\xc2\xa0Standard\xc2\xa0(FIPS)\xc2\xa0199\xc2\xa0impact\xc2\xa0level\xc2\xa0(low,\xc2\xa0moderate,\xc2\xa0high).\xc2\xa0\xc2\xa0Please\xc2\xa0also\xc2\xa0identify\xc2\xa0the\xc2\xa0number\xc2\xa0of\xc2\xa0\nsystems\xc2\xa0that\xc2\xa0are\xc2\xa0used\xc2\xa0by\xc2\xa0your\xc2\xa0agency\xc2\xa0but\xc2\xa0owned\xc2\xa0by\xc2\xa0another\xc2\xa0Federal\xc2\xa0agency\xc2\xa0(i.e.,\xc2\xa0ePayroll,\xc2\xa0etc.)\xc2\xa0by\xc2\xa0\ncomponent\xc2\xa0and\xc2\xa0FIPS\xc2\xa0199\xc2\xa0impact\xc2\xa0level.\xc2\xa0\n\xc2\xa0\n Internal\xc2\xa0Revenue\xc2\xa0          \xc2\xa0                                                                     \xc2\xa0\n Service\xc2\xa0(IRS)\xc2\xa0\n  FIPS\xc2\xa0199\xc2\xa0System\xc2\xa0       Agency\xc2\xa0      Contractor          Total\xc2\xa0Systems\xc2\xa0             Systems\xc2\xa0Owned\xc2\xa0by\xc2\xa0\n    Impact\xc2\xa0Level\xc2\xa0        Systems\xc2\xa0      Systems\xc2\xa0      (Agency\xc2\xa0and\xc2\xa0Contractor\xc2\xa0 Another\xc2\xa0Federal\xc2\xa0Agency\xc2\xa0\n                                                              Systems)\xc2\xa0\n  High\xc2\xa0                        4\xc2\xa0            0                     4                         *\xc2\xa0\n  Moderate\xc2\xa0                 181\xc2\xa0             6                   187                         *\xc2\xa0\n  Low\xc2\xa0                        44\xc2\xa0            0                    44                         *\xc2\xa0\n               Total\xc2\xa0       229\xc2\xa0             6                   235                         *\xc2\xa0\n\xc2\xa0\xc2\xa0\xc2\xa0*\xc2\xa0This\xc2\xa0information\xc2\xa0will\xc2\xa0be\xc2\xa0provided\xc2\xa0by\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0the\xc2\xa0Treasury\xc2\xa0for\xc2\xa0all\xc2\xa0agency\xc2\xa0components.\xc2\xa0\n\nQuestion\xc2\xa02:\xc2\xa0Certification\xc2\xa0and\xc2\xa0Accreditation,\xc2\xa0Security\xc2\xa0Controls\xc2\xa0Testing,\xc2\xa0and\xc2\xa0Contingency\xc2\xa0Plan\xc2\xa0Testing\xc2\xa0\nFor\xc2\xa0the\xc2\xa0Total\xc2\xa0Number\xc2\xa0of\xc2\xa0Systems\xc2\xa0reviewed\xc2\xa0by\xc2\xa0Component/Bureau\xc2\xa0and\xc2\xa0FIPS\xc2\xa0System\xc2\xa0Impact\xc2\xa0Level\xc2\xa0in\xc2\xa0the\xc2\xa0\ntable\xc2\xa0for\xc2\xa0Question\xc2\xa01,\xc2\xa0identify\xc2\xa0the\xc2\xa0number\xc2\xa0and\xc2\xa0percentage\xc2\xa0of\xc2\xa0systems\xc2\xa0which\xc2\xa0have:\xc2\xa0a\xc2\xa0current\xc2\xa0certification\xc2\xa0\nand\xc2\xa0accreditation,\xc2\xa0security\xc2\xa0controls\xc2\xa0tested\xc2\xa0and\xc2\xa0reviewed\xc2\xa0within\xc2\xa0the\xc2\xa0past\xc2\xa0year,\xc2\xa0and\xc2\xa0a\xc2\xa0contingency\xc2\xa0plan\xc2\xa0\ntested\xc2\xa0in\xc2\xa0accordance\xc2\xa0with\xc2\xa0policy.\xc2\xa0\n\xc2\xa0\n FIPS\xc2\xa0199\xc2\xa0       Systems\xc2\xa0     Number\xc2\xa0of\xc2\xa0                 Systems\xc2\xa0with\xc2\xa0                Systems\xc2\xa0with\xc2\xa0       \xc2\xa0\n  System\xc2\xa0       Reviewed\xc2\xa0   systems\xc2\xa0with\xc2\xa0     %\xc2\xa0of\xc2\xa0    security\xc2\xa0controls\xc2\xa0   %\xc2\xa0of\xc2\xa0      contingency\xc2\xa0     %\xc2\xa0of\xc2\xa0\n  Impact\xc2\xa0                      a\xc2\xa0current\xc2\xa0     Total\xc2\xa0      tested\xc2\xa0and\xc2\xa0       Total\xc2\xa0   plans\xc2\xa0tested\xc2\xa0in\xc2\xa0   Total\xc2\xa0\n   Level\xc2\xa0                    certification\xc2\xa0            reviewed\xc2\xa0within\xc2\xa0                accordance\xc2\xa0        \xc2\xa0\n                                  and\xc2\xa0                   the\xc2\xa0past\xc2\xa0year\xc2\xa0                 with\xc2\xa0policy\xc2\xa0\n                            accreditation\xc2\xa0\n High\xc2\xa0              0\xc2\xa0               \xc2\xa0                                                                  \xc2\xa0\n Moderate\xc2\xa0         12\xc2\xa0            12\xc2\xa0         100%             12           100%            12\xc2\xa0             100%\n Low\xc2\xa0               0\xc2\xa0               \xc2\xa0                                                        \xc2\xa0\n       Total\xc2\xa0      12\xc2\xa0            12\xc2\xa0         100%             12           100%            12\xc2\xa0             100%\n\n                                                                                                                   Page 1\n\x0cQuestion\xc2\xa03:\xc2\xa0Evaluation\xc2\xa0of\xc2\xa0Agency\xc2\xa0Oversight\xc2\xa0of\xc2\xa0Contractor\xc2\xa0Systems\xc2\xa0and\xc2\xa0Quality\xc2\xa0of\xc2\xa0Agency\xc2\xa0System\xc2\xa0\nInventory\xc2\xa0\xc2\xa0\nThe\xc2\xa0agency\xc2\xa0performs\xc2\xa0oversight\xc2\xa0and\xc2\xa0evaluation\xc2\xa0to\xc2\xa0ensure\xc2\xa0information\xc2\xa0systems\xc2\xa0used\xc2\xa0or\xc2\xa0operated\xc2\xa0by\xc2\xa0a\xc2\xa0\ncontractor\xc2\xa0of\xc2\xa0the\xc2\xa0agency\xc2\xa0or\xc2\xa0other\xc2\xa0organization\xc2\xa0on\xc2\xa0behalf\xc2\xa0of\xc2\xa0the\xc2\xa0agency\xc2\xa0meet\xc2\xa0the\xc2\xa0requirements\xc2\xa0of\xc2\xa0FISMA,\xc2\xa0\nOMB\xc2\xa0policy\xc2\xa0and\xc2\xa0NIST\xc2\xa0guidelines,\xc2\xa0national\xc2\xa0security\xc2\xa0policy,\xc2\xa0and\xc2\xa0agency\xc2\xa0policy.\xc2\xa0\nDoes\xc2\xa0the\xc2\xa0agency\xc2\xa0have\xc2\xa0policies\xc2\xa0for\xc2\xa0oversight\xc2\xa0of\xc2\xa0contractors?\xc2\xa0Yes/No\xc2\xa0\n       Yes.\xc2\xa0\nIf\xc2\xa0the\xc2\xa0answer\xc2\xa0above\xc2\xa0is\xc2\xa0yes,\xc2\xa0is\xc2\xa0the\xc2\xa0policy\xc2\xa0implemented?\xc2\xa0\n         Yes.\xc2\xa0\xc2\xa0The\xc2\xa0response\xc2\xa0to\xc2\xa0this\xc2\xa0question\xc2\xa0is\xc2\xa0based\xc2\xa0on\xc2\xa0our\xc2\xa0evaluation\xc2\xa0of\xc2\xa0the\xc2\xa0annual\xc2\xa0testing\xc2\xa0of\xc2\xa0\xc2\xa0\n         1\xc2\xa0contractor\xc2\xa0system\xc2\xa0in\xc2\xa0the\xc2\xa0sample\xc2\xa0of\xc2\xa012\xc2\xa0systems\xc2\xa0reviewed.\xc2\xa0\xc2\xa0The\xc2\xa0Treasury\xc2\xa0Inspector\xc2\xa0General\xc2\xa0for\xc2\xa0\n         Tax\xc2\xa0Administration\xc2\xa0(TIGTA)\xc2\xa0is\xc2\xa0currently\xc2\xa0conducting\xc2\xa0an\xc2\xa0audit\xc2\xa0of\xc2\xa0the\xc2\xa0effectiveness\xc2\xa0of\xc2\xa0contractor\xc2\xa0\n         managed\xc2\xa0systems,\xc2\xa0the\xc2\xa0results\xc2\xa0of\xc2\xa0which\xc2\xa0will\xc2\xa0be\xc2\xa0reflected\xc2\xa0in\xc2\xa0future\xc2\xa0FISMA\xc2\xa0evaluation\xc2\xa0results.\xc2\xa0\nThe\xc2\xa0agency\xc2\xa0has\xc2\xa0a\xc2\xa0materially\xc2\xa0correct\xc2\xa0inventory\xc2\xa0of\xc2\xa0major\xc2\xa0information\xc2\xa0systems\xc2\xa0(including\xc2\xa0national\xc2\xa0security\xc2\xa0\nsystems)\xc2\xa0operated\xc2\xa0by\xc2\xa0or\xc2\xa0under\xc2\xa0the\xc2\xa0control\xc2\xa0of\xc2\xa0such\xc2\xa0agency.\xc2\xa0Yes/No\xc2\xa0\n       Yes.\xc2\xa0\nDoes\xc2\xa0the\xc2\xa0agency\xc2\xa0maintain\xc2\xa0an\xc2\xa0inventory\xc2\xa0of\xc2\xa0interfaces\xc2\xa0between\xc2\xa0the\xc2\xa0agency\xc2\xa0systems\xc2\xa0and\xc2\xa0all\xc2\xa0other\xc2\xa0systems,\xc2\xa0\nsuch\xc2\xa0as\xc2\xa0those\xc2\xa0not\xc2\xa0operated\xc2\xa0by\xc2\xa0or\xc2\xa0under\xc2\xa0the\xc2\xa0control\xc2\xa0of\xc2\xa0the\xc2\xa0agency?\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nDoes\xc2\xa0the\xc2\xa0agency\xc2\xa0require\xc2\xa0agreements\xc2\xa0for\xc2\xa0interfaces\xc2\xa0between\xc2\xa0systems\xc2\xa0it\xc2\xa0owns\xc2\xa0or\xc2\xa0operates\xc2\xa0and\xc2\xa0other\xc2\xa0\nsystems\xc2\xa0not\xc2\xa0operated\xc2\xa0by\xc2\xa0or\xc2\xa0under\xc2\xa0the\xc2\xa0control\xc2\xa0of\xc2\xa0the\xc2\xa0agency?\xc2\xa0Yes/No\xc2\xa0\n       Yes.\xc2\xa0\nThe\xc2\xa0IG\xc2\xa0generally\xc2\xa0agrees\xc2\xa0with\xc2\xa0the\xc2\xa0CIO\xc2\xa0on\xc2\xa0the\xc2\xa0number\xc2\xa0of\xc2\xa0agency\xe2\x80\x90owned\xc2\xa0systems.\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nThe\xc2\xa0IG\xc2\xa0generally\xc2\xa0agrees\xc2\xa0with\xc2\xa0the\xc2\xa0CIO\xc2\xa0on\xc2\xa0the\xc2\xa0number\xc2\xa0of\xc2\xa0information\xc2\xa0systems\xc2\xa0used\xc2\xa0or\xc2\xa0operated\xc2\xa0by\xc2\xa0a\xc2\xa0\ncontractor\xc2\xa0of\xc2\xa0the\xc2\xa0agency\xc2\xa0or\xc2\xa0other\xc2\xa0organization\xc2\xa0on\xc2\xa0behalf\xc2\xa0of\xc2\xa0the\xc2\xa0agency.\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nThe\xc2\xa0agency\xc2\xa0inventory\xc2\xa0is\xc2\xa0maintained\xc2\xa0and\xc2\xa0updated\xc2\xa0at\xc2\xa0least\xc2\xa0annually.\xc2\xa0Yes/No\xc2\xa0\n       Yes.\xc2\xa0\nIf\xc2\xa0the\xc2\xa0IG\xc2\xa0does\xc2\xa0not\xc2\xa0indicate\xc2\xa0that\xc2\xa0the\xc2\xa0agency\xc2\xa0has\xc2\xa0a\xc2\xa0materially\xc2\xa0correct\xc2\xa0inventory,\xc2\xa0please\xc2\xa0identify\xc2\xa0any\xc2\xa0known\xc2\xa0\nmissing\xc2\xa0major\xc2\xa0systems\xc2\xa0by\xc2\xa0Component/Bureau,\xc2\xa0the\xc2\xa0Unique\xc2\xa0Project\xc2\xa0Identifier\xc2\xa0(UPI)\xc2\xa0associated\xc2\xa0with\xc2\xa0the\xc2\xa0\nsystems\xc2\xa0as\xc2\xa0presented\xc2\xa0in\xc2\xa0the\xc2\xa0FY\xc2\xa02009\xc2\xa0Exhibit\xc2\xa0300\xc2\xa0(if\xc2\xa0known),\xc2\xa0and\xc2\xa0indicate\xc2\xa0if\xc2\xa0the\xc2\xa0system\xc2\xa0is\xc2\xa0an\xc2\xa0agency\xc2\xa0or\xc2\xa0\ncontractor\xc2\xa0system.\xc2\xa0\n         Not\xc2\xa0applicable\xc2\xa0as\xc2\xa0the\xc2\xa0TIGTA\xc2\xa0agrees\xc2\xa0that\xc2\xa0the\xc2\xa0IRS\xc2\xa0has\xc2\xa0a\xc2\xa0materially\xc2\xa0correct\xc2\xa0inventory.\xc2\xa0\n\nQuestion\xc2\xa04:\xc2\xa0Evaluation\xc2\xa0of\xc2\xa0Agency\xc2\xa0Plan\xc2\xa0of\xc2\xa0Action\xc2\xa0and\xc2\xa0Milestones\xc2\xa0(POA&M)\xc2\xa0Process\xc2\xa0\xc2\xa0\nAssess\xc2\xa0whether\xc2\xa0the\xc2\xa0agency\xc2\xa0has\xc2\xa0developed,\xc2\xa0implemented,\xc2\xa0and\xc2\xa0is\xc2\xa0managing\xc2\xa0an\xc2\xa0agency\xe2\x80\x90wide\xc2\xa0plan\xc2\xa0of\xc2\xa0action\xc2\xa0\nand\xc2\xa0milestones\xc2\xa0(POA&M)\xc2\xa0process,\xc2\xa0providing\xc2\xa0explanatory\xc2\xa0detail\xc2\xa0in\xc2\xa0the\xc2\xa0area\xc2\xa0provided.\xc2\xa0\nHas\xc2\xa0the\xc2\xa0agency\xc2\xa0developed\xc2\xa0and\xc2\xa0documented\xc2\xa0an\xc2\xa0adequate\xc2\xa0policy\xc2\xa0that\xc2\xa0establishes\xc2\xa0a\xc2\xa0POA&M\xc2\xa0process\xc2\xa0for\xc2\xa0\nreporting\xc2\xa0IT\xc2\xa0security\xc2\xa0deficiencies\xc2\xa0and\xc2\xa0tracking\xc2\xa0the\xc2\xa0status\xc2\xa0of\xc2\xa0remediation\xc2\xa0efforts?\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\n                                                                                                  Page 2\n\x0cHas\xc2\xa0the\xc2\xa0agency\xc2\xa0fully\xc2\xa0implemented\xc2\xa0the\xc2\xa0policy?\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nIs\xc2\xa0the\xc2\xa0agency\xc2\xa0currently\xc2\xa0managing\xc2\xa0and\xc2\xa0operating\xc2\xa0a\xc2\xa0POA&M\xc2\xa0process?\xc2\xa0\n         Yes.\xc2\xa0\nIs\xc2\xa0the\xc2\xa0agency\xe2\x80\x99s\xc2\xa0POA&M\xc2\xa0process\xc2\xa0an\xc2\xa0agency\xe2\x80\x90wide\xc2\xa0process,\xc2\xa0incorporating\xc2\xa0all\xc2\xa0known\xc2\xa0IT\xc2\xa0security\xc2\xa0weaknesses,\xc2\xa0\nincluding\xc2\xa0IG/external\xc2\xa0audit\xc2\xa0findings\xc2\xa0associated\xc2\xa0with\xc2\xa0information\xc2\xa0systems\xc2\xa0used\xc2\xa0or\xc2\xa0operated\xc2\xa0by\xc2\xa0the\xc2\xa0agency\xc2\xa0\nor\xc2\xa0by\xc2\xa0a\xc2\xa0contractor\xc2\xa0of\xc2\xa0the\xc2\xa0agency\xc2\xa0or\xc2\xa0other\xc2\xa0organization\xc2\xa0on\xc2\xa0behalf\xc2\xa0of\xc2\xa0the\xc2\xa0agency?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\nDoes\xc2\xa0the\xc2\xa0POA&M\xc2\xa0process\xc2\xa0prioritize\xc2\xa0IT\xc2\xa0security\xc2\xa0weaknesses\xc2\xa0to\xc2\xa0help\xc2\xa0ensure\xc2\xa0significant\xc2\xa0IT\xc2\xa0security\xc2\xa0\nweaknesses\xc2\xa0are\xc2\xa0corrected\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner\xc2\xa0and\xc2\xa0receive\xc2\xa0appropriate\xc2\xa0resources?\xc2\xa0Yes/No\xc2\xa0\n       Yes.\xc2\xa0\nWhen\xc2\xa0an\xc2\xa0IT\xc2\xa0security\xc2\xa0weakness\xc2\xa0is\xc2\xa0identified,\xc2\xa0do\xc2\xa0program\xc2\xa0officials\xc2\xa0(including\xc2\xa0CIOs,\xc2\xa0if\xc2\xa0they\xc2\xa0own\xc2\xa0or\xc2\xa0operate\xc2\xa0a\xc2\xa0\nsystem)\xc2\xa0develop,\xc2\xa0implement,\xc2\xa0and\xc2\xa0manage\xc2\xa0POA&Ms\xc2\xa0for\xc2\xa0their\xc2\xa0system(s)?\xc2\xa0Yes/No\xc2\xa0\n       Yes.\xc2\xa0\nFor\xc2\xa0Systems\xc2\xa0Reviewed:\xc2\xa0\na.\xc2\xa0Are\xc2\xa0deficiencies\xc2\xa0tracked\xc2\xa0and\xc2\xa0remediated\xc2\xa0in\xc2\xa0a\xc2\xa0timely\xc2\xa0manner?\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nb.\xc2\xa0Are\xc2\xa0the\xc2\xa0remediation\xc2\xa0plans\xc2\xa0effective\xc2\xa0for\xc2\xa0correcting\xc2\xa0the\xc2\xa0security\xc2\xa0weakness?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\nc.\xc2\xa0Are\xc2\xa0the\xc2\xa0estimated\xc2\xa0dates\xc2\xa0for\xc2\xa0remediation\xc2\xa0reasonable\xc2\xa0and\xc2\xa0adhered\xc2\xa0to?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\nDo\xc2\xa0Program\xc2\xa0officials\xc2\xa0and\xc2\xa0contractors\xc2\xa0report\xc2\xa0their\xc2\xa0progress\xc2\xa0on\xc2\xa0security\xc2\xa0weakness\xc2\xa0remediation\xc2\xa0to\xc2\xa0the\xc2\xa0CIO\xc2\xa0\non\xc2\xa0a\xc2\xa0regular\xc2\xa0basis\xc2\xa0(at\xc2\xa0least\xc2\xa0quarterly)?\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nDoes\xc2\xa0the\xc2\xa0Agency\xc2\xa0CIO\xc2\xa0centrally\xc2\xa0track,\xc2\xa0maintain,\xc2\xa0and\xc2\xa0independently\xc2\xa0review/validate\xc2\xa0POA&M\xc2\xa0activities\xc2\xa0on\xc2\xa0\nat\xc2\xa0least\xc2\xa0a\xc2\xa0quarterly\xc2\xa0basis?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\n\nQuestion\xc2\xa05:\xc2\xa0IG\xc2\xa0Assessment\xc2\xa0of\xc2\xa0the\xc2\xa0Certification\xc2\xa0and\xc2\xa0Accreditation\xc2\xa0Process\xc2\xa0\nProvide\xc2\xa0a\xc2\xa0qualitative\xc2\xa0assessment\xc2\xa0of\xc2\xa0the\xc2\xa0agency\xe2\x80\x99s\xc2\xa0certification\xc2\xa0and\xc2\xa0accreditation\xc2\xa0process,\xc2\xa0including\xc2\xa0\nadherence\xc2\xa0to\xc2\xa0existing\xc2\xa0policy,\xc2\xa0guidance,\xc2\xa0and\xc2\xa0standards.\xc2\xa0\xc2\xa0Agencies\xc2\xa0shall\xc2\xa0follow\xc2\xa0NIST\xc2\xa0Special\xc2\xa0\xc2\xa0\nPublication\xc2\xa0800\xe2\x80\x9037,\xc2\xa0Guide\xc2\xa0for\xc2\xa0the\xc2\xa0Security\xc2\xa0Certification\xc2\xa0and\xc2\xa0Accreditation\xc2\xa0of\xc2\xa0Federal\xc2\xa0Information\xc2\xa0\nSystems\xc2\xa0(May\xc2\xa02004)\xc2\xa0for\xc2\xa0certification\xc2\xa0and\xc2\xa0accreditation\xc2\xa0work\xc2\xa0initiated\xc2\xa0after\xc2\xa0May\xc2\xa02004.\xc2\xa0\xc2\xa0This\xc2\xa0includes\xc2\xa0use\xc2\xa0\nof\xc2\xa0the\xc2\xa0FIPS\xc2\xa0199\xc2\xa0(February\xc2\xa02004),\xc2\xa0Standards\xc2\xa0for\xc2\xa0Security\xc2\xa0Categorization\xc2\xa0of\xc2\xa0Federal\xc2\xa0Information\xc2\xa0and\xc2\xa0\nInformation\xc2\xa0Systems,\xc2\xa0to\xc2\xa0determine\xc2\xa0a\xc2\xa0system\xc2\xa0impact\xc2\xa0level,\xc2\xa0as\xc2\xa0well\xc2\xa0as\xc2\xa0associated\xc2\xa0NIST\xc2\xa0documents\xc2\xa0used\xc2\xa0as\xc2\xa0\nguidance\xc2\xa0for\xc2\xa0completing\xc2\xa0risk\xc2\xa0assessments\xc2\xa0and\xc2\xa0security\xc2\xa0plans.\xc2\xa0\xc2\xa0Provide\xc2\xa0explanatory\xc2\xa0detail\xc2\xa0in\xc2\xa0the\xc2\xa0area\xc2\xa0\nprovided.\xc2\xa0\n         Five\xc2\xa0of\xc2\xa0the\xc2\xa012\xc2\xa0systems\xc2\xa0reviewed\xc2\xa0were\xc2\xa0certified\xc2\xa0and\xc2\xa0accredited\xc2\xa0during\xc2\xa0the\xc2\xa0past\xc2\xa0year.\xc2\xa0\xc2\xa0Security\xc2\xa0\n         controls\xc2\xa0were\xc2\xa0selected\xc2\xa0and\xc2\xa0tested\xc2\xa0for\xc2\xa0the\xc2\xa0remaining\xc2\xa0seven\xc2\xa0systems\xc2\xa0as\xc2\xa0part\xc2\xa0of\xc2\xa0the\xc2\xa0continuous\xc2\xa0\n         monitoring\xc2\xa0of\xc2\xa0security\xc2\xa0controls.\xc2\xa0\n\n                                                                                                   Page 3\n\x0cHas\xc2\xa0the\xc2\xa0agency\xc2\xa0developed\xc2\xa0and\xc2\xa0documented\xc2\xa0an\xc2\xa0adequate\xc2\xa0policy\xc2\xa0for\xc2\xa0establishing\xc2\xa0a\xc2\xa0certification\xc2\xa0and\xc2\xa0\naccreditation\xc2\xa0process\xc2\xa0that\xc2\xa0follows\xc2\xa0the\xc2\xa0NIST\xc2\xa0framework?\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nIs\xc2\xa0the\xc2\xa0agency\xc2\xa0currently\xc2\xa0managing\xc2\xa0and\xc2\xa0operating\xc2\xa0a\xc2\xa0C&A\xc2\xa0process\xc2\xa0in\xc2\xa0compliance\xc2\xa0with\xc2\xa0its\xc2\xa0policies?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\nFor\xc2\xa0systems\xc2\xa0reviewed,\xc2\xa0does\xc2\xa0the\xc2\xa0C&A\xc2\xa0process\xc2\xa0adequately\xc2\xa0provide:\xc2\xa0(check\xc2\xa0all\xc2\xa0that\xc2\xa0apply)\xc2\xa0\n        9\xc2\xa0\xc2\xa0Appropriate\xc2\xa0risk\xc2\xa0categories\xc2\xa0\n        9\xc2\xa0\xc2\xa0Adequate\xc2\xa0risk\xc2\xa0assessments\xc2\xa0\n        9\xc2\xa0\xc2\xa0Selection\xc2\xa0of\xc2\xa0appropriate\xc2\xa0controls\xc2\xa0\n        \xc2\xa0X\xc2\xa0\xc2\xa0\xc2\xa0Adequate\xc2\xa0testing\xc2\xa0of\xc2\xa0controls\xc2\xa0\n        9\xc2\xa0\xc2\xa0Regular\xc2\xa0monitoring\xc2\xa0of\xc2\xa0system\xc2\xa0risks\xc2\xa0and\xc2\xa0the\xc2\xa0adequacy\xc2\xa0of\xc2\xa0controls\xc2\xa0\n       Controls\xc2\xa0were\xc2\xa0not\xc2\xa0adequately\xc2\xa0tested\xc2\xa0for\xc2\xa03\xc2\xa0of\xc2\xa0the\xc2\xa012\xc2\xa0sampled\xc2\xa0systems\xc2\xa0reviewed.\xc2\xa0\xc2\xa0For\xc2\xa0each\xc2\xa0of\xc2\xa0the\xc2\xa0\n       three\xc2\xa0systems,\xc2\xa0controls\xc2\xa0were\xc2\xa0selected\xc2\xa0and\xc2\xa0tested\xc2\xa0during\xc2\xa02009\xc2\xa0for\xc2\xa0continuous\xc2\xa0monitoring\xc2\xa0of\xc2\xa0\n       security.\xc2\xa0\xc2\xa0However,\xc2\xa0tests\xc2\xa0of\xc2\xa0the\xc2\xa0operational\xc2\xa0and\xc2\xa0technical\xc2\xa0controls\xc2\xa0for\xc2\xa0the\xc2\xa0three\xc2\xa0systems\xc2\xa0were\xc2\xa0\n       not\xc2\xa0sufficient\xc2\xa0to\xc2\xa0determine\xc2\xa0if\xc2\xa0the\xc2\xa0controls\xc2\xa0were\xc2\xa0in\xc2\xa0place\xc2\xa0and\xc2\xa0operating\xc2\xa0as\xc2\xa0intended.\xc2\xa0\xc2\xa0Specifically,\xc2\xa0\xc2\xa0\n       11\xc2\xa0(31\xc2\xa0percent)\xc2\xa0of\xc2\xa035\xc2\xa0operational\xc2\xa0controls\xc2\xa0and\xc2\xa015\xc2\xa0(27\xc2\xa0percent)\xc2\xa0of\xc2\xa056\xc2\xa0technical\xc2\xa0controls\xc2\xa0selected\xc2\xa0\n       for\xc2\xa0the\xc2\xa03\xc2\xa0systems,\xc2\xa0collectively,\xc2\xa0were\xc2\xa0not\xc2\xa0adequately\xc2\xa0tested.\xc2\xa0\xc2\xa0The\xc2\xa0tests\xc2\xa0were\xc2\xa0limited\xc2\xa0to\xc2\xa0examining\xc2\xa0\n       certification\xc2\xa0and\xc2\xa0accreditation\xc2\xa0documentation\xc2\xa0or\xc2\xa0conducting\xc2\xa0interviews\xc2\xa0without\xc2\xa0examining\xc2\xa0\n       system\xc2\xa0evidence.\xc2\xa0\xc2\xa0For\xc2\xa0example,\xc2\xa0configuration\xc2\xa0change\xc2\xa0control\xc2\xa0is\xc2\xa0an\xc2\xa0operational\xc2\xa0control\xc2\xa0that\xc2\xa0\n       ensures\xc2\xa0changes\xc2\xa0to\xc2\xa0the\xc2\xa0information\xc2\xa0system\xc2\xa0are\xc2\xa0authorized,\xc2\xa0documented,\xc2\xa0and\xc2\xa0controlled.\xc2\xa0\xc2\xa0For\xc2\xa0\n       one\xc2\xa0of\xc2\xa0the\xc2\xa0systems,\xc2\xa0the\xc2\xa0IRS\xc2\xa0evaluated\xc2\xa0this\xc2\xa0control\xc2\xa0by\xc2\xa0examining\xc2\xa0the\xc2\xa0test\xc2\xa0results\xc2\xa0from\xc2\xa0the\xc2\xa0\n       system\xe2\x80\x99s\xc2\xa0last\xc2\xa0certification\xc2\xa0and\xc2\xa0accreditation\xc2\xa0in\xc2\xa02007.\xc2\xa0\xc2\xa0For\xc2\xa0another\xc2\xa0system,\xc2\xa0the\xc2\xa0IRS\xc2\xa0evaluated\xc2\xa0the\xc2\xa0\n       control\xc2\xa0by\xc2\xa0referring\xc2\xa0to\xc2\xa0a\xc2\xa0description\xc2\xa0of\xc2\xa0the\xc2\xa0control\xc2\xa0in\xc2\xa0the\xc2\xa0system\xe2\x80\x99s\xc2\xa0System\xc2\xa0Security\xc2\xa0Plan.\xc2\xa0\xc2\xa0In\xc2\xa0both\xc2\xa0\n       examples,\xc2\xa0the\xc2\xa0IRS\xc2\xa0did\xc2\xa0not\xc2\xa0actually\xc2\xa0test\xc2\xa0the\xc2\xa0control.\xc2\xa0\nFor\xc2\xa0systems\xc2\xa0reviewed,\xc2\xa0is\xc2\xa0the\xc2\xa0Authorizing\xc2\xa0Official\xc2\xa0presented\xc2\xa0with\xc2\xa0complete\xc2\xa0and\xc2\xa0reliable\xc2\xa0C&A\xc2\xa0information\xc2\xa0\nto\xc2\xa0facilitate\xc2\xa0an\xc2\xa0informed\xc2\xa0system\xc2\xa0Authorization\xc2\xa0to\xc2\xa0Operate\xc2\xa0decision\xc2\xa0based\xc2\xa0on\xc2\xa0risks\xc2\xa0and\xc2\xa0controls\xc2\xa0\nimplemented?\xc2\xa0Yes/No\xc2\xa0\n          Yes.\xc2\xa0\n\nQuestion\xc2\xa06:\xc2\xa0IG\xc2\xa0Assessment\xc2\xa0of\xc2\xa0Agency\xc2\xa0Privacy\xc2\xa0Program\xc2\xa0and\xc2\xa0Privacy\xc2\xa0Impact\xc2\xa0Assessment\xc2\xa0(PIA)\xc2\xa0Process\xc2\xa0\xc2\xa0\nProvide\xc2\xa0a\xc2\xa0qualitative\xc2\xa0assessment\xc2\xa0of\xc2\xa0the\xc2\xa0agency\xe2\x80\x99s\xc2\xa0process,\xc2\xa0as\xc2\xa0discussed\xc2\xa0in\xc2\xa0Section\xc2\xa0D,\xc2\xa0for\xc2\xa0protecting\xc2\xa0\nprivacy\xe2\x80\x90related\xc2\xa0information,\xc2\xa0including\xc2\xa0adherence\xc2\xa0to\xc2\xa0existing\xc2\xa0policy,\xc2\xa0guidance,\xc2\xa0and\xc2\xa0standards.\xc2\xa0Provide\xc2\xa0\nexplanatory\xc2\xa0information\xc2\xa0in\xc2\xa0the\xc2\xa0area\xc2\xa0provided.\xc2\xa0\nHas\xc2\xa0the\xc2\xa0Agency\xc2\xa0developed\xc2\xa0and\xc2\xa0documented\xc2\xa0adequate\xc2\xa0policies\xc2\xa0that\xc2\xa0comply\xc2\xa0with\xc2\xa0OMB\xc2\xa0guidance\xc2\xa0in\xc2\xa0\xc2\xa0\nM\xe2\x80\x9007\xe2\x80\x9016,\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9015,\xc2\xa0and\xc2\xa0M\xe2\x80\x9006\xe2\x80\x9016\xc2\xa0for\xc2\xa0safeguarding\xc2\xa0privacy\xe2\x80\x90related\xc2\xa0information?\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nIs\xc2\xa0the\xc2\xa0Agency\xc2\xa0currently\xc2\xa0managing\xc2\xa0and\xc2\xa0operating\xc2\xa0a\xc2\xa0privacy\xc2\xa0program\xc2\xa0with\xc2\xa0appropriate\xc2\xa0controls\xc2\xa0in\xc2\xa0\ncompliance\xc2\xa0with\xc2\xa0its\xc2\xa0policies?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\n\n\n                                                                                                   Page 4\n\x0cHas\xc2\xa0the\xc2\xa0Agency\xc2\xa0developed\xc2\xa0and\xc2\xa0documented\xc2\xa0an\xc2\xa0adequate\xc2\xa0policy\xc2\xa0for\xc2\xa0Privacy\xc2\xa0Impact\xc2\xa0Assessments?\xc2\xa0\nYes/No/Not\xc2\xa0Applicable\xc2\xa0\n        Yes.\xc2\xa0\nHas\xc2\xa0the\xc2\xa0Agency\xc2\xa0fully\xc2\xa0implemented\xc2\xa0the\xc2\xa0policy\xc2\xa0and\xc2\xa0is\xc2\xa0the\xc2\xa0Agency\xc2\xa0currently\xc2\xa0managing\xc2\xa0and\xc2\xa0operating\xc2\xa0a\xc2\xa0\nprocess\xc2\xa0for\xc2\xa0performing\xc2\xa0adequate\xc2\xa0privacy\xc2\xa0impact\xc2\xa0assessments?\xc2\xa0Yes/No/Not\xc2\xa0Applicable\xc2\xa0\n        Yes.\xc2\xa0\n\nQuestion\xc2\xa07:\xc2\xa0Configuration\xc2\xa0Management\xc2\xa0\nIs\xc2\xa0there\xc2\xa0an\xc2\xa0agency\xe2\x80\x90wide\xc2\xa0security\xc2\xa0configuration\xc2\xa0policy?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\nWhat\xc2\xa0tools,\xc2\xa0techniques\xc2\xa0is\xc2\xa0your\xc2\xa0agency\xc2\xa0using\xc2\xa0for\xc2\xa0monitoring\xc2\xa0compliance?\xc2\xa0\n       The\xc2\xa0IRS\xc2\xa0uses\xc2\xa0the\xc2\xa0following\xc2\xa0tools\xc2\xa0and\xc2\xa0techniques\xc2\xa0for\xc2\xa0monitoring\xc2\xa0compliance\xc2\xa0with\xc2\xa0configuration\xc2\xa0\n       policy:\xc2\xa0\n            \xe2\x80\xa2 Windows\xc2\xa0Policy\xc2\xa0Checker\xc2\xa0for\xc2\xa0Windows\xc2\xa0XP,\xc2\xa0Windows\xc2\xa0NT,\xc2\xa0Windows\xc2\xa02000\xc2\xa0Professional,\xc2\xa0\n                Windows\xc2\xa02000\xc2\xa0Server,\xc2\xa0and\xc2\xa0Windows\xc2\xa02003\xc2\xa0Server.\xc2\xa0\n            \xe2\x80\xa2 Security\xc2\xa0Compliance\xc2\xa0Checker\xc2\xa0for\xc2\xa0Windows\xc2\xa0XP.\xc2\xa0\n            \xe2\x80\xa2 Unix\xc2\xa0Policy\xc2\xa0Checker\xc2\xa0for\xc2\xa0Unix,\xc2\xa0Solaris,\xc2\xa0and\xc2\xa0HP\xe2\x80\x90UX.\xc2\xa0\n            \xe2\x80\xa2 Mainframe\xc2\xa0Policy\xc2\xa0Checker\xc2\xa0for\xc2\xa0Mainframes.\xc2\xa0\n            \xe2\x80\xa2 OPNET\xc2\xa0Doctor\xc2\xa0for\xc2\xa0Cisco\xc2\xa0Router\xc2\xa0and\xc2\xa0Switches.\n            \xe2\x80\xa2 Checklists\xc2\xa0for\xc2\xa0Linux,\xc2\xa0Oracle,\xc2\xa0SQL,\xc2\xa0DB2,\xc2\xa0and\xc2\xa0AIX.\nIndicate\xc2\xa0the\xc2\xa0status\xc2\xa0of\xc2\xa0the\xc2\xa0implementation\xc2\xa0of\xc2\xa0FDCC\xc2\xa0at\xc2\xa0your\xc2\xa0agency:\xc2\xa0\xc2\xa0\nAgency\xc2\xa0has\xc2\xa0documented\xc2\xa0deviations\xc2\xa0from\xc2\xa0FDCC\xc2\xa0standard\xc2\xa0configuration.\xc2\xa0Yes/No\xc2\xa0\n        Yes.\xc2\xa0\nNew\xc2\xa0Federal\xc2\xa0Acquisition\xc2\xa0Regulation\xc2\xa02007\xe2\x80\x90004\xc2\xa0language,\xc2\xa0which\xc2\xa0modified\xc2\xa0\xe2\x80\x9cPart\xc2\xa039\xe2\x80\x94Acquisition\xc2\xa0of\xc2\xa0\nInformation\xc2\xa0Technology,\xe2\x80\x9d\xc2\xa0is\xc2\xa0included\xc2\xa0in\xc2\xa0all\xc2\xa0contracts\xc2\xa0related\xc2\xa0to\xc2\xa0common\xc2\xa0security\xc2\xa0settings.\xc2\xa0Yes/No\xc2\xa0\n       No.\xc2\xa0\xc2\xa0In\xc2\xa0March\xc2\xa02009,\xc2\xa0we\xc2\xa0issued\xc2\xa0a\xc2\xa0report 1 \xc2\xa0in\xc2\xa0which\xc2\xa0we\xc2\xa0identified\xc2\xa0that\xc2\xa027\xc2\xa0of\xc2\xa030\xc2\xa0contracts\xc2\xa0for\xc2\xa0new\xc2\xa0\n       software\xc2\xa0products\xc2\xa0that\xc2\xa0we\xc2\xa0reviewed\xc2\xa0did\xc2\xa0not\xc2\xa0include\xc2\xa0the\xc2\xa0required\xc2\xa0FDCC\xc2\xa0contract\xc2\xa0language.\xc2\xa0\xc2\xa0The\xc2\xa0\n       IRS\xc2\xa0has\xc2\xa0not\xc2\xa0yet\xc2\xa0implemented\xc2\xa0policy\xc2\xa0that\xc2\xa0would\xc2\xa0require\xc2\xa0the\xc2\xa0inclusion\xc2\xa0of\xc2\xa0the\xc2\xa0FDCC\xc2\xa0language\xc2\xa0in\xc2\xa0\n       contracts\xc2\xa0for\xc2\xa0new\xc2\xa0software\xc2\xa0products.\xc2\xa0\xc2\xa0The\xc2\xa0IRS\xc2\xa0responded\xc2\xa0to\xc2\xa0the\xc2\xa0report\xc2\xa0that\xc2\xa0it\xc2\xa0planned\xc2\xa0to\xc2\xa0issue\xc2\xa0\n       an\xc2\xa0agency\xe2\x80\x90wide\xc2\xa0policy\xc2\xa0that\xc2\xa0will\xc2\xa0incorporate\xc2\xa0the\xc2\xa0FDCC\xc2\xa0contract\xc2\xa0language\xc2\xa0in\xc2\xa0information\xc2\xa0\n       technology\xc2\xa0acquisitions.\xc2\xa0\n\nQuestion\xc2\xa08:\xc2\xa0Incident\xc2\xa0Reporting\xc2\xa0\nHow\xc2\xa0often\xc2\xa0does\xc2\xa0the\xc2\xa0agency\xc2\xa0comply\xc2\xa0with\xc2\xa0documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0identifying\xc2\xa0and\xc2\xa0\nreporting\xc2\xa0incidents\xc2\xa0internally?\xc2\xa0\xc2\xa0Answer\xc2\xa0will\xc2\xa0be\xc2\xa0a\xc2\xa0percentage\xc2\xa0range.\xc2\xa0\n        90\xc2\xa0percent\xe2\x80\x93\xc2\xa0100\xc2\xa0percent.\xc2\xa0\xc2\xa0This\xc2\xa0percentage\xc2\xa0rate\xc2\xa0is\xc2\xa0based\xc2\xa0on\xc2\xa0an\xc2\xa0August\xc2\xa02009\xc2\xa0TIGTA\xc2\xa0audit\xc2\xa0report 2 \xc2\xa0\n        which\xc2\xa0showed\xc2\xa0that\xc2\xa0IRS\xc2\xa0employees\xc2\xa0reported\xc2\xa096\xc2\xa0percent\xc2\xa0of\xc2\xa0all\xc2\xa0incidents\xc2\xa0involving\xc2\xa0the\xc2\xa0loss\xc2\xa0of\xc2\xa0\n\n\n1\n  Progress Has Been Slow in Implementing Federal Security Configurations on Employee Computers (Reference\nNumber 2009-20-055, dated March 27, 2009).\n2\n  Significant Improvements Have Been Made to Protect Sensitive Data on Laptop Computers and Other Portable\nElectronic Media Devices (Reference Number 2009-20-120, dated August 31, 2009).\n                                                                                                    Page 5\n\x0c        information\xc2\xa0technology\xc2\xa0assets\xc2\xa0to\xc2\xa0the\xc2\xa0IRS\xc2\xa0Computer\xc2\xa0Security\xc2\xa0Incident\xc2\xa0Response\xc2\xa0Center,\xc2\xa0whose\xc2\xa0\n        mission\xc2\xa0is\xc2\xa0to\xc2\xa0be\xc2\xa0proactive\xc2\xa0in\xc2\xa0preventing,\xc2\xa0detecting,\xc2\xa0and\xc2\xa0responding\xc2\xa0to\xc2\xa0computer\xc2\xa0security\xc2\xa0\n        incidents\xc2\xa0targeting\xc2\xa0IRS\xc2\xa0enterprise\xc2\xa0information\xc2\xa0technology\xc2\xa0assets.\xc2\xa0\nHow\xc2\xa0often\xc2\xa0does\xc2\xa0the\xc2\xa0agency\xc2\xa0comply\xc2\xa0with\xc2\xa0documented\xc2\xa0policies\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0timely\xc2\xa0reporting\xc2\xa0of\xc2\xa0\nincidents\xc2\xa0to\xc2\xa0US\xc2\xa0CERT?\xc2\xa0Answer\xc2\xa0will\xc2\xa0be\xc2\xa0a\xc2\xa0percentage\xc2\xa0range.\xc2\xa0\n        Not\xc2\xa0applicable.\xc2\xa0\xc2\xa0The\xc2\xa0IRS\xc2\xa0does\xc2\xa0not\xc2\xa0report\xc2\xa0incidents\xc2\xa0directly\xc2\xa0to\xc2\xa0US\xe2\x80\x90CERT.\xc2\xa0\xc2\xa0The\xc2\xa0IRS\xc2\xa0reports\xc2\xa0incidents\xc2\xa0\n        to\xc2\xa0the\xc2\xa0Department\xc2\xa0of\xc2\xa0the\xc2\xa0Treasury.\xc2\xa0\xc2\xa0The\xc2\xa0Department\xc2\xa0of\xc2\xa0the\xc2\xa0Treasury\xc2\xa0serves\xc2\xa0as\xc2\xa0the\xc2\xa0central\xc2\xa0point\xc2\xa0\n        for\xc2\xa0reporting\xc2\xa0Treasury\xc2\xa0bureau\xc2\xa0incidents\xc2\xa0to\xc2\xa0the\xc2\xa0US\xe2\x80\x90CERT.\xc2\xa0\nHow\xc2\xa0often\xc2\xa0does\xc2\xa0the\xc2\xa0agency\xc2\xa0comply\xc2\xa0with\xc2\xa0documented\xc2\xa0policy\xc2\xa0and\xc2\xa0procedures\xc2\xa0for\xc2\xa0reporting\xc2\xa0to\xc2\xa0law\xc2\xa0\nenforcement?\xc2\xa0Answer\xc2\xa0will\xc2\xa0be\xc2\xa0a\xc2\xa0percentage\xc2\xa0range.\xc2\xa0\n       90\xc2\xa0percent\xe2\x80\x93\xc2\xa0100\xc2\xa0percent.\xc2\xa0\xc2\xa0This\xc2\xa0percentage\xc2\xa0rate\xc2\xa0is\xc2\xa0based\xc2\xa0on\xc2\xa0an\xc2\xa0August\xc2\xa02009\xc2\xa0TIGTA\xc2\xa0audit\xc2\xa0report3 \xc2\xa0\n       that\xc2\xa0showed\xc2\xa0that\xc2\xa0the\xc2\xa0IRS\xc2\xa0reported\xc2\xa096\xc2\xa0percent\xc2\xa0of\xc2\xa0all\xc2\xa0incidents\xc2\xa0involving\xc2\xa0the\xc2\xa0loss\xc2\xa0of\xc2\xa0information\xc2\xa0\n       technology\xc2\xa0assets\xc2\xa0to\xc2\xa0the\xc2\xa0TIGTA\xc2\xa0Office\xc2\xa0of\xc2\xa0Investigations,\xc2\xa0the\xc2\xa0law\xc2\xa0enforcement\xc2\xa0agency\xc2\xa0for\xc2\xa0the\xc2\xa0IRS.\xc2\xa0\n\nQuestion\xc2\xa09:\xc2\xa0Security\xc2\xa0Awareness\xc2\xa0Training\xc2\xa0\nHas\xc2\xa0the\xc2\xa0agency\xc2\xa0ensured\xc2\xa0IT\xc2\xa0security\xc2\xa0awareness\xc2\xa0training\xc2\xa0of\xc2\xa0all\xc2\xa0users\xc2\xa0with\xc2\xa0log\xc2\xa0in\xc2\xa0privileges,\xc2\xa0including\xc2\xa0\ncontractors\xc2\xa0and\xc2\xa0those\xc2\xa0employees\xc2\xa0with\xc2\xa0significant\xc2\xa0IT\xc2\xa0security\xc2\xa0responsibilities?\xc2\xa0\xc2\xa0Provide\xc2\xa0explanatory\xc2\xa0detail\xc2\xa0\nin\xc2\xa0the\xc2\xa0space\xc2\xa0provided.\xc2\xa0\nHas\xc2\xa0the\xc2\xa0agency\xc2\xa0developed\xc2\xa0and\xc2\xa0documented\xc2\xa0an\xc2\xa0adequate\xc2\xa0policy\xc2\xa0for\xc2\xa0identifying\xc2\xa0all\xc2\xa0general\xc2\xa0users,\xc2\xa0\ncontractors,\xc2\xa0and\xc2\xa0system\xc2\xa0owners/employees\xc2\xa0who\xc2\xa0have\xc2\xa0log\xc2\xa0in\xc2\xa0privileges,\xc2\xa0and\xc2\xa0providing\xc2\xa0them\xc2\xa0with\xc2\xa0suitable\xc2\xa0\nIT\xc2\xa0security\xc2\xa0awareness\xc2\xa0training?\xc2\xa0Yes/No/Not\xc2\xa0Applicable\xc2\xa0\n         Yes.\xc2\xa0\xc2\xa0The\xc2\xa0IRS\xc2\xa0identifies\xc2\xa0all\xc2\xa0employees\xc2\xa0and\xc2\xa0contractors\xc2\xa0including\xc2\xa0those\xc2\xa0with\xc2\xa0log\xc2\xa0in\xc2\xa0privileges\xc2\xa0as\xc2\xa0\n         well\xc2\xa0as\xc2\xa0those\xc2\xa0without\xc2\xa0system\xc2\xa0access.\xc2\xa0\nReport\xc2\xa0the\xc2\xa0following\xc2\xa0for\xc2\xa0your\xc2\xa0agency:\xc2\xa0\xc2\xa0\nTotal\xc2\xa0number\xc2\xa0of\xc2\xa0people\xc2\xa0with\xc2\xa0log\xc2\xa0in\xc2\xa0privileges\xc2\xa0to\xc2\xa0agency\xc2\xa0systems.\xc2\xa0\n        86,535.\xc2\xa0\nNumber\xc2\xa0of\xc2\xa0people\xc2\xa0with\xc2\xa0log\xc2\xa0in\xc2\xa0privileges\xc2\xa0to\xc2\xa0agency\xc2\xa0systems\xc2\xa0that\xc2\xa0received\xc2\xa0information\xc2\xa0security\xc2\xa0awareness\xc2\xa0\ntraining\xc2\xa0during\xc2\xa0the\xc2\xa0past\xc2\xa0fiscal\xc2\xa0year,\xc2\xa0as\xc2\xa0described\xc2\xa0in\xc2\xa0NIST\xc2\xa0Special\xc2\xa0Publication\xc2\xa0800\xe2\x80\x9050,\xc2\xa0\xe2\x80\x9cBuilding\xc2\xa0an\xc2\xa0\nInformation\xc2\xa0Technology\xc2\xa0Security\xc2\xa0Awareness\xc2\xa0and\xc2\xa0Training\xc2\xa0Program\xe2\x80\x9d\xc2\xa0(October\xc2\xa02003).\xc2\xa0\n         107,568\xc2\xa0people\xc2\xa0received\xc2\xa0information\xc2\xa0security\xc2\xa0awareness\xc2\xa0training.\xc2\xa0\xc2\xa0This\xc2\xa0included\xc2\xa0individuals\xc2\xa0with\xc2\xa0\n         log\xc2\xa0in\xc2\xa0privileges\xc2\xa0as\xc2\xa0well\xc2\xa0as\xc2\xa0those\xc2\xa0without\xc2\xa0system\xc2\xa0access.\xc2\xa0\nTotal\xc2\xa0number\xc2\xa0of\xc2\xa0employees\xc2\xa0with\xc2\xa0significant\xc2\xa0information\xc2\xa0security\xc2\xa0responsibilities.\xc2\xa0\n        5,919.\xc2\xa0\nNumber\xc2\xa0of\xc2\xa0employees\xc2\xa0with\xc2\xa0significant\xc2\xa0security\xc2\xa0responsibilities\xc2\xa0that\xc2\xa0received\xc2\xa0specialized\xc2\xa0training,\xc2\xa0as\xc2\xa0\ndescribed\xc2\xa0in\xc2\xa0NIST\xc2\xa0Special\xc2\xa0Publication\xc2\xa0800\xe2\x80\x9016,\xc2\xa0\xe2\x80\x9cInformation\xc2\xa0Technology\xc2\xa0Security\xc2\xa0Training\xc2\xa0Requirements:\xc2\xa0\nA\xc2\xa0Role\xe2\x80\x90\xc2\xa0and\xc2\xa0Performance\xe2\x80\x90Based\xc2\xa0Model\xe2\x80\x9d\xc2\xa0(April\xc2\xa01998).\xc2\xa0\n        5,913.\xc2\xa0\n\n\n\n3\n Significant Improvements Have Been Made to Protect Sensitive Data on Laptop Computers and Other Portable\nElectronic Media Devices (Reference Number 2009-20-120, dated August 31, 2009).\n                                                                                                   Page 6\n\x0cQuestion\xc2\xa010:\xc2\xa0Peer\xe2\x80\x90to\xe2\x80\x90Peer\xc2\xa0File\xc2\xa0Sharing\xc2\xa0\nDoes\xc2\xa0the\xc2\xa0agency\xc2\xa0explain\xc2\xa0policies\xc2\xa0regarding\xc2\xa0the\xc2\xa0use\xc2\xa0of\xc2\xa0peer\xe2\x80\x90to\xe2\x80\x90peer\xc2\xa0file\xc2\xa0sharing\xc2\xa0in\xc2\xa0IT\xc2\xa0security\xc2\xa0awareness\xc2\xa0\ntraining,\xc2\xa0ethics\xc2\xa0training,\xc2\xa0or\xc2\xa0any\xc2\xa0other\xc2\xa0agency\xe2\x80\x90wide\xc2\xa0training?\xc2\xa0Yes/No\xc2\xa0\n         Yes.\xc2\xa0\n\n\n\n\n                                                                                                  Page 7\n\x0c'